Double the Infection, Double the Fun

Cobalt Phish Connection
by ASERT Team on

Executive Summary

Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT banking system which costs millions in damages to the impacted entities. On August 13, ASERT observed the financially-motivated hacking group actively pushing a new campaign. We believe the targeted institutions for the ongoing campaign are located in eastern Europe and Russia.  The active campaigns utilize spear phishing messages to gain entry. The emails appear to come from a financial vendor or partner, increasing the likelihood of infection.  The group uses tools that can bypass Window’s defenses.

NOTE: Arbor APS enterprise security products detect and block all activity noted in this report.

Key Findings

  • Recent campaigns masquerade as other financial institutions or a financial supplier/partner domain to trick potential victims into trusting the messages.
  • Two phishing targets found.
    • NS Bank (Russia)
    • Banca Comercială Carpatica / Patria Bank (Romania)
  • One phishing email contains two malicious URLs.
    • The first one is a weaponized Word document.  The document contains obfuscated VBA scripts as opposed to known CVEs used in parallel to this campaign.
    • The second one is a binary with a jpg extension.
  • The binaries analyzed contained two unique C2 servers we believe are owned and operated by the Cobalt hacking Group.

Details

Cobalt Group Connection

ASERT recently uncovered two different malware samples which we believe connect the active campaigns to Cobalt Group. The first sample, a JavaScript backdoor, shares functionality with previous versions of a similar backdoor. The second binary, CobInt/COOLPANTS, is a reconnaissance backdoor as noted by security researchers.

JavaScript Backdoor

The JavaScript Backdoor is believed to be a stager for additional payloads.  This stager, previously analyzed by security researchers from Group-IB, and the JavaScript Backdoor ASERT analyzed exhibits similar functionality as noted below:

  • Registry key settings for persistence
  • Launched in an SCT (a scriptlet COM object) called via regsvr32.exe
    • An AppLocker by-pass technique (squiblydoo).
  • Use of RC4 to encrypt traffic
  • Same type of system information collected
  • The C2 command names show striking similarity
  • The C2 communication structure is also closely aligned between the two samples

CobInt/COOLPANTS

The second binary identified by security researchers, dubbed “Recon (CobInt) backdoor”, matched a new sample ASERT identified. A number of binaries came to light after the initial findings of the CobInt backdoor. The following are a few of these binaries, including the new sample identified by ASERT researchers (Figure 1):

  • Sample: 10d044bc5b8ae607501304e61b2efecb
    • Security Researchers identify a “patient zero” binary and called it CobInt.
      • Listed in a recent report as a tool used by Cobalt Group
  • Sample: d017bf9f6039445bfefd95a853b2e4c4
    • An found a sample on July 9, 2018 and called it COOLPANTS.
    • Appears to be an evolution of CobInt due to similarities in the binary when cross-referenced
      • 28 of the 57 functions matched using Diaphora, a tool that compares binary functions
    • C2 tied to Cobalt Group reporting: hxxps://apstore[.]info
  • New Sample: 616199072a11d95373b3c38626ad4c93
    • Found by ASERT August 13th 2018
    • Very similar to COOLPANTS when cross-referencing the binaries:
      • All 48 functions under “Best Match” tab in Diaphora
    • Same compilation time as COOLPANTS: 2018-06-13 20:44:15
    • C2: rietumu[.]me.
      • The sample evolution supports the theory that rietumu[.]me belongs to the Cobalt hacking group.


CobInt/COOLPANTS

Figure 1. CobInt/COOLPANTS

Phish & Infrastructure Analysis

After inspecting the domain, rietumu[.]me, ASERT uncovered the email address solisariana[@]protonmail[.]com.  Pivoting on the email leads to five additional domains each with a creation date of: 2018-08-01.

  1. compass[.]plus
  2. eucentalbank[.]com
  3. europecentalbank[.]com
  4. inter-kassa[.]com
  5. unibank[.]credit

Hunting for samples associated with inter-kassa[.]com leads to a phishing email uploaded to VirusTotal, d3ac921038773c9b59fa6b229baa6469 (Figure 2). At the time of analysis, VirusTotal scored the phishing email with a 0, indicating nothing malicious was identified by the anti-virus engines.   

 Phishing Email Header

Figure 2. Phishing Email Header

Most of the email content appears benign except for a link embedded in the message. The name “Interkassa” appears to be a payment processing system which makes it a prime masquerading target for attackers as noted in the tactics employed by the Cobalt Group for this ongoing campaign. The links embedded in the phishing email are as follows:

  1. hxxps://download.outlook-368[.]com/Document00591674.doc
    1. Live on August 14, 2018
  2. hxxp://sepa-europa[.]eu/transactions/id02082018.jpg
    1. Not live at time of analysis but a sample matching the full URL was uploaded to VirusTotal.

Document Infection Chain

Payload Stager: Part One

The document from the embedded URL in the phishing email, Document00591674.doc (61e3207a3ea674c2ae012f44f2f5618b), renders a VBA infested word document which continues the infection cycle once macros are enabled. NOTE: The document requires user permission and/or a policy enabled that allows Macros to run for a successful launch. The VBA script pieces together a cmd.exe command that launches cmstp.exe with an INF file (figure 3) allowing to potentially by-pass AppLocker.  The INF file then beacons to download.outlook-368[.]com to download a remote payload that cmstp.exe will execute. 

Figure 3. INF File

Figure 3. INF File

The file, info.txt, downloaded from download.outlook-368[.]com is an XML file with an embedded scriptlet tag.  The XML’s content includes a registration section allowing it to be used as a SCT/COM object (Figure 4). [caption id="attachment_9607" align="aligncenter" width="908"]Figure 4. COM Object

Figure 4. COM Object

“cmstp.exe” executes the SCT file, which subsequently drops and launches the JavaScript backdoor dropper binary, 31385.txt (e368365bece9fb5b0bc8de1209bab694), disguised as a text file.  For the dropped binary, Cobalt Group makes use of another system provided binary to add a layer of stealth and bypass possible protections like AppLocker by launching it using regsvr32.exe (Figure 5). 

This is consistent with TTPs for this actor. Figure 5. regsvr32 launching the 31385.txt Figure 5.regsvr32 launching the 31385.txt

The DLL file, 31385.txt, masquerading as a text file, is the last stage in the infection chain.  The DLL drops the final obfuscated embedded file and launches it using regsvr32.exe before deleting itself (Figure 6).

Figure 6. Final Obfuscated Script Figure 6. Final Obfuscated Script

The above script (Figure 6) is launched using regsvr32.exe:

  • REgSvr32 /S /N /U /I:"C:/Users/zgSpbU9Lu/AppData/Roaming/7F235861DB0B0024C3.txt" sCRObJ

The script ensures persistence by modifying the registry key UserInitMprLoginScript with the following value:

  • Regxvr32 /S /N /U /I:C:/Users/<redact>/AppData/Roaming/EE02EB37AA8.txt ScRObJ

De-obfuscating the final script renders the C2 along with the RC4 key.  This is the JavaScript backdoor “more_eggs” which has been analyzed by other researchers over the past few years (Figure 7).

Figure 7. De-Obfuscated JavaScript Backdoor

Figure 7. De-Obfuscated JavaScript Backdoor - “More_eggs”

Backdoor “more_eggs” commands:

  1. d&exec – Downloads and executes a PE file.
  2. more_eggs – Downloads an update for itself.
  3. gtfo – Delete itself and related registry entries.
  4. more_onion – Executes the “new” copy of itself.
  5. vai_x – Executes a command via cmd.

NOTE: Commands 1 – 4 match the commands described in other public reporting.  Command 5 differs in name only; what it does remains the same.  The public report shows “more_power” as the name of the fifth command.  Figure 8: Execution Flow

Figure 8: Execution Flow

JPEG Infection Chain

File Execution

The second URL identified in the phishing email, hxxp://sepa-europa[.]eu/transactions/id02082018.jpg, acts as a red-herring; id02082018.jpg, 9a87da405a53eaf32f8a24d3abb085af - UPX unpacked, is an executable rather than an image file.  The sample is littered with junk code that spends CPU cycles before proceeding to de-obfuscate itself.  The unpacking routine involves overwriting itself in memory with another executable. This overwritten binary loads a resource and jumps to the executable code contained in it.  The unpacked binary will fail when LoadResource is called if it’s not running in the context of the original binary (Figure 9). 

Figure 9: LoadResource()

Figure 9: LoadResource()

The loaded shellcode first deobfuscates itself before beaconing to the C2 server for additional payloads or scripts. Figure 10: C2 Server Figure 10: C2 Server

At the time of analysis, the C2 server did not respond; however, there is another binary with the same C2 found in ASERT’s malware zoo which bears a striking resemblance to CobInt.

Full Circle

The binary, 452903fc857fb98f4339d7ce1884099, makes use of the C2 ibfseed[.]com.  Comparing this binary to another CobInt (616199072a11d95373b3c38626ad4c93) sample using Diaphora, ASERT determined this to be another CobInt/COOLPANTS sample.  We believe this binary is tied to Cobalt Group using the same methodology and binary comparisons as the previously discussed malware samples.  

Romanian Target Spotted

Phish

Working closely with Intel471, one of our Threat Intelligence partners, we found an additional Cobalt Group phishing campaign targeting carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA).  “carpatica[.]ro” belongs to Banca Comercială Carpatica, a bank in Romania that merged with Patria Bank in 2017. 

Figure 11: Romanian Bank Phish Header Figure 11: Romanian Bank Phish Header

Cobalt Group Connection

The phishing email uncovered by Intel471 downloads 9270ac1e013a3b33c44666a66795d0c0.  The downloaded file shares the same PDB string as 1999a718fb9bcf3c5b3e41bf88be9067.  That sample connects to rietumu[.]me, which ASERT identified as belonging to Cobalt Group (Figure 12). 

Figure 12: Cobalt Phish Connection

Figure 12: Cobalt Phish Connection

Summary

This Cobalt Group actor(s) mimic financial entities or their vendors/partners in order to gain a foothold in the target’s network.  Making use of separate infection points in one email with two separate C2s makes this email peculiar.  One could speculate that this would increase the infection odds.  The actor tries to hide the infection by using regsvr32.exe and cmstp.exe, which are both known for by-passing AppLocker (configuration dependent).  ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.  ASERT also recommends that employees are trained to spot phishing emails and, where possible, closely inspect emails for look-alike domains that might contain malicious attachments or links.  

IOCs

10D044BC5B8AE607501304E61B2EFECB - CobInt d017bf9f6039445bfefd95a853b2e4c4 - COOLPANTS 616199072a11d95373b3c38626ad4c93 – Coblnt/COOLPANTS (ASERT Sample) d3ac921038773c9b59fa6b229baa6469 - Email 61e3207a3ea674c2ae012f44f2f5618b - Document00591674.doc e368365bece9fb5b0bc8de1209bab694 – DLL File 3452903fc857fb98f4339d7ce1884099 – CobInt/COOLPANTS (ASERT Sample) 9a87da405a53eaf32f8a24d3abb085af – id02082018.jpg (UPX Unpacked) f3bb3e2c03f3976c107de88b43a22655 – id02082018.jpg (UPX Packed) a3b705ce3d677361a7a9b2b0bdf04a04 – Email (carpatica) attachment eb93c912e4d3ecf52615b198c44771f4 – Email (carpatica) 9270ac1e013a3b33c44666a66795d0c0 - Email (carpatica)Downloaded 1999a718fb9bcf3c5b3e41bf88be9067   hxxps://help-desc-me[.]com hxxps://apstore[.]info hxxps://rietumu[.]me hxxps://ww3.cloudfront[.]org[.]kz hxxp://download.outlook-368[.]com hxxps://ibfseed[.]com   compass[.]plus eucentalbank[.]com europecentalbank[.]com inter-kassa[.]com unibank[.]credit sepacloud[.]eu sepa-cloud[.]com

Posted In
  • Uncategorized