Notorious hacking group said to be targeting eastern European financial institutions

A new hacking campaign on financial institutions across eastern Europe has been attributed to the notorious Cobalt Group after researchers found malware similar to that used on previous attacks.

The Cobalt Group, also known as Carbanak, is a cybergang chiefly known for its attacks on the SWIFT banking system and ATMs, which organizations like Europol estimate have cost the banking industry over €1 billion since the group’s inception in late 2013.

Europol said that the malware used by Cobalt was allowing criminals to steal up to €10 million per heist, and a 2016 theft of $81 million from a bank in Bangladesh saw a complete overhaul of SWIFT’s security practices – although it is not known whether Cobalt was responsible for the attack.

But despite the arrest of the gang’s leader by Europol in March of this year, Cobalt appears to have remained active, according to a new report from Netscout, which indicates the cybergang recently infiltrated NS Bank in Russia and Patria Bank in Romania.

The banks are targeted, the report said, through spear-phishing emails containing two different payloads – a Word document with obfuscated VBA scripts and a malicious .jpg file.

These malicious files, effectively a backdoor for entry, are linked to two different command-and-control servers thought to be operated by Cobalt.

“This Cobalt Group actor(s) mimic financial entities or their vendors/partners in order to gain a foothold in the target’s network,” said Netscout.

“Making use of separate infection points in one email with two separate C2s makes this email peculiar. One could speculate that this would increase the infection odds.

“The actor tries to hide the infection by using regsvr32.exe and cmstp.exe, which are both known for by-passing AppLocker (configuration dependent).”

Using multiple tactics for infiltration increases Cobalt’s chances of compromising a system, and tools to bypass Windows’ defenses are equally deployed.

Netscout added: “We believe Cobalt Group will continue targeting financial organizations in eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.”