APT Uses Spear Phishing in New Campaign

APT Uses Spear Phishing in New Campaign

An advanced persistent threat group, active since at least 2016 and suspected in exploiting multiple attacks around the globe, is reportedly targeting institutions in Europe and Russia, according to a report released today from NETSCOUT Arbor.

On 13 August NETSCOUT’s ASERT team identified new spear-phishing campaign activity from the financially motivated hacking group Cobalt. Given that the messages appear to be coming from a trusted source, many victims fall prey to these types of campaigns in which malicious actors disguise themselves as other financial institutions. 

The phishing messages used to gain entry look as if they come from a financial vendor or partner domains, increasing the likelihood of infection. In addition, the group reportedly uses tools that allow them to bypass Window’s defenses.

NS Bank in Russia and Banca Comerciala Carpatica of Romania were the two phishing targets found in which one of the phishing emails was weaponized with two malicious URLs.

The first contained a malicious Word document that obfuscated VBA scripts, which researchers said differed from the known CVEs that had been used in parallel to this campaign.

The second weapon was a binary with a JEPG extension. Researchers analyzed the binaries and found that they contained “two unique C2 servers we believe are owned and operated by the Cobalt hacking Group.”

These two malware samples suggest that the campaigns are connected to Cobalt Group. Analysis showed that a JavaScript backdoor, believed to be a stager for additional payloads, contained functionality that is similar to another version of a similar backdoor.

“This Cobalt Group actor(s) mimic financial entities or their vendors/partners in order to gain a foothold in the target’s network. Making use of separate infection points in one email with two separate C2s makes this email peculiar,” researchers wrote.

“One could speculate that this would increase the infection odds. The actor tries to hide the infection by using regsvr32.exe and cmstp.exe, which are both known for by-passing AppLocker (configuration dependent)," they continued.

"ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.”

Source: Information Security Magazine