An infamous group of Ukrainian hackers in Cobalt Group (also known as FIN7 and Carbanak Group) are launching a string of new hacking attacks on banks.
The group is reported to have stolen more than a billion dollars from banks in the past few years. According to authorities, the group has stolen over 15 million payment card related details, from more than 6,500 terminals.
Recently, the hacking group launched attacks on banks in Russia and in Romania, according to intelligence groups who discovered the operation last month.
Resurgence of Activity
The Cobalt Group has been functional since 2013 and has been conducting such cyberattacks on more than 100 banks all over the world.
The leader was arrested earlier this year in Spain, with three others in the team being charged, but the group continues to remain active.
In a full report, researchers at threat intelligence firm ASERT stated they had spotted the renewal of the group’s activities in mid-August, just a few months after the arrest of the ringleader.
According to reports, there are several people involved in the core group and the arrests only deterred the money laundering activities, not the other criminal activities of the group.
According to ASERT, Cobalt Group is expected to continue such attacks on banks in Russia and in Eastern Europe.
Spear Phishing Attacks
The latest attacks are in the form of spear phishing attacks targeting Russian and Romanian banks by sending emails that contain two payloads pointing towards different control servers, mimicking the vendors of the banks.
These emails were sent to victims, supposedly being sent from related financial institutions. The messages contained files with malicious programs attached.
ASERT noted Cobalt Group’s signature on August 13, when the group attacked NS Bank in Russia as well as Patria Bank in Romania.
The researchers at ASERT examined the domain, which led them to five other domains that were created in early August. The experts also uncovered other domains that were mimicking financial institutions.
One of the common methods of Cobalt Group in its attacks on financial institutions is to send spear phishing emails in order to gain an entry into the banks’ systems.
These emails mimic other financial institutions, suppliers and partners in order to gain the confidence and trust of the victim.
Mimicking Legitimate Institutions
Interkassa, a payment processing system offering means of making online transactions in different currencies, was one of the victims of Cobalt Group’s attacks.
In this particular attack, researchers at ASERT found two malware samples that led back to the Cobalt Group.
During this search, the ASERT researchers discovered one spear phishing email that bore all the signature features of previous Cobalt hacking campaigns.
There were two malicious links in this email, of which one was connected to a Word document and another to a binary with a .jpg extension.
ASERT found this in the phishing email sent to one of the employees of Russia-based NS Bank from the domain mimicking Interkassa.
The Cobalt hacking group is notorious for sending slick spear phishing emails that look realistic and contain attachments of Word documents.
According to ASERT researchers, the malware is able to bypass the AppLocker of Windows, as it makes use of genuine Windows processes, so that AppLocker cannot block it by default.
ASERT is convinced that it is the work of the Cobalt hacking group. The email also uses two separate points of infection and, according to ASERT, it could be done in order to increase the chances of infection.
That is, if the victim disallows the Word macros, they might still be at risk to the disguised .jpg file.
This kind of strategy is a kind of insurance policy by the hackers. It will tempt the victim to click on at least one of the malicious links.
Normally, such attackers would send a malicious attachment along with a malicious link, rather than sending two malicious links.
Huge Cybercrime Operation
According to experts, the Cobalt hacking group continues to operate in spite of arrests of its leaders. This shows how difficult it is to shut down such huge cybercrime operations that are based on global ties.
Many people are involved in the hacking group’s operation, and the arrest of one member cannot stop the others.