1. Home
  2. Groups
  3. Cobalt Group

Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]

ID: G0080
Associated Groups: GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
Version: 2.1
Created: 17 October 2018
Last Modified: 22 March 2023

Associated Group Descriptions

Name Description
GOLD KINGSWOOD

[9]
Cobalt Gang

[1] [10][11]
Cobalt Spider

[10]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1220 XSL脚本处理

Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.[1]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. [12]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Cobalt Group has created new services to establish persistence.[4]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Cobalt Group has used the Plink utility to create SSH tunnels.[4]
Enterprise T1572 协议隧道

Cobalt Group has used the Plink utility to create SSH tunnels.[1][3][4]
Enterprise T1037 .001 启动或登录初始化脚本: Logon Script (Windows)

Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.[11]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Cobalt Group has used powershell.exe to download and execute scripts.[1][2][3][4][7][13]
.003 命令与脚本解释器: Windows Command Shell

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[11] The group has used an exploit toolkit known as Threadkit that launches .bat files.[1][2][4][11][14][13]
.005 命令与脚本解释器: Visual Basic

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.[1][2][4][11][14][13]
.007 命令与脚本解释器: JavaScript

Cobalt Group has executed JavaScript scriptlets on the victim's machine.[1][2][4][11][14][13]
Enterprise T1203 客户端执行漏洞利用

Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.[1][2][3][5][6][7][10][13]
Enterprise T1071 .001 应用层协议: Web Protocols

Cobalt Group has used HTTPS for C2.[1][3][4]
.004 应用层协议: DNS

Cobalt Group has used DNS tunneling for C2.[1][3][4]
Enterprise T1068 权限提升漏洞利用

Cobalt Group has used exploits to increase their levels of rights and privileges.[4]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.[1][11]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Cobalt Group has bypassed UAC.[4]
Enterprise T1204 .001 用户执行: Malicious Link

Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.[1][14][9]
.002 用户执行: Malicious File

Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.[1][14]
Enterprise T1070 .004 移除指标: File Deletion

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[1]
Enterprise T1218 .003 系统二进制代理执行: CMSTP

Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.[1][11][14]
.008 系统二进制代理执行: Odbcconf

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.[13]
.010 系统二进制代理执行: Regsvr32

Cobalt Group has used regsvr32.exe to execute scripts.[1][11][13]
Enterprise T1046 网络服务发现

Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.[2][3][4]
Enterprise T1588 .002 获取能力: Tool

Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.[3]
Enterprise T1518 .001 软件发现: Security Software Discovery

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[11]
Enterprise T1105 输入工具传输

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[2][3] The group's JavaScript backdoor is also capable of downloading files.[11]
Enterprise T1055 进程注入

Cobalt Group has injected code into trusted processes.[4]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

Cobalt Group has sent malicious Word OLE compound documents to victims.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.[4]
Enterprise T1219 远程访问软件

Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.[2][3][4]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[1][2][3][4][5][6][14][13]
.002 钓鱼: Spearphishing Link

Cobalt Group has sent emails with URLs pointing to malicious documents.[1][9]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Cobalt Group has created Windows tasks to establish persistence.[4]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2][4][5] [6][7][10][13] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0002 Mimikatz [2][3][4] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0284 More_eggs [1][12] 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 颠覆信任控制: Code Signing
S0029 PsExec [2][4] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0195 SDelete [3] 数据销毁, 移除指标: File Deletion
S0646 SpicyOmelette [9] 从本地系统获取数据, 命令与脚本解释器: JavaScript, 用户执行: Malicious Link, 系统信息发现, 系统网络配置发现, 软件发现, 软件发现: Security Software Discovery, 输入工具传输, 远程系统发现, 钓鱼: Spearphishing Link, 颠覆信任控制: Code Signing

References

  1. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  2. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  3. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  4. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  5. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
  6. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  7. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  1. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
  2. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  3. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  4. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  5. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  6. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  7. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.