Cobalt Group Uses New Version of ThreadKit Malware

Cobalt Group Uses New Version of ThreadKit Malware

Researchers have discovered a new version of ThreadKit, malware known to be used by Cobalt Group, first identified in 2016, according to Fidelis Cybersecurity.

In the recently released report, Fidelis threat research analysts found that despite reported arrests, Cobalt Group continues to remain active, using a new version of ThreadKit, a macro delivery framework sold and used by numerous actors and groups. In addition, researchers identified CobInt, a loader and backdoor framework utilized in profiling systems.

The threat group had largely been targeting banks in Eastern Europe using phishing emails with malicious PDF attachments that allowed the group to steal more than $32,000 from multiple ATMs in an overnight attack.

“The group has since built a reputation for their highly targeted, network intrusion methods. They expanded their geographical target area out of Eastern Europe, to include North America, South America and Western Europe as well as expanded their targets from banks, to also include supply chain companies, financial exchanges, investment funds, and lenders,” wrote Jason Reaves, Fidelis threat research principal engineer, in a blog post.

Prior to Interpol reportedly arresting the group’s leader in March 2018, it was estimated that the threat actors had pilfered as much as $1.2 billion from banks across 40 different countries.

Apparently the group has new leadership, as researchers identified what appeared to be renewed activity from the group in May 2018. In the group's recent activity analyzed in the report, attackers using the Cobalt Group malware frameworks continue to hone their skills crafting tailor-made emails that appear to come from a financial partner of the targeted institution.

“In October 2018, Fidelis identified a new version of ThreadKit. As per Cobalt Group’s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,” Reaves wrote.

Source: Information Security Magazine