Group-IB: Cobalt’s Latest Attacks on Banks Confirm Connection to Anunak

Cobalt Renaissance: Cobalt hacker group’s latest attack has been completed on behalf of a large antimalware vendor. Group-IB’s experts have analyzed Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion EUR from over 100 banks in 40 different countries.

Group-IB, a leading provider of intelligence-driven cyber-security, has released a new report on Cobalt group’s attacks against banks and financial sector organizations worldwide. Group-IB’s Threat Intelligence team is providing unique insights on the joint operations of Cobalt and Anunak (Carbanak) groups and have been analyzing their tactics, tools and procedures since the beginning of their operations to present day. Despite the arrest of the operator of the criminal group, Cobalt’s most recent targeted attack activity was monitored by Group-IB on May 23 and 28, 2018. These attacks mainly focused on banks in Russia and CIS countries, however based on the content of the spear phishing email, it is likely that western financial organizations were also targeted. Interestingly, one of the recent phishing campaigns purported to be from a large anti-virus vendor. Group-IB believes that in the most recent events Cobalt and Anunak had joint operations.

According to Europol, these threat actors have been linked to thefts of approximately one billion euros. One of the largest single attempted thefts was of over 25 million EUR from a European bank via card processing.

The report, «Cobalt: Evolution and Joint Operations», provides an analysis of the development of one of the most aggressive hacker groups responsible for financial damage to banks and financial services organizations in the Americas, Europe, Middle East and South East Asia. Cobalt has continued target internal financial services systems to steal from Card Processing, ATMs, payment gateways and SWIFT systems. Group-IB experts provide insights in our reporting directly from first hand incident response and covers their activity from the beginning of their operations in 2016.

New Cobalt spring: malware in anti-virus message

On May 23, Threat Intelligence experts recorded a new large-scale cyberattack made by Cobalt hacker group on the leading banks of Russia and the CIS. Despite the arrest of the group leader in Spain, which became known of on March 26, the remaining members of the group again tested the strength of financial institution security. It is noteworthy that the last attacks in Russia were made 5 months ago, in December 2017.

The first wave of the phishing campaign was tracked on May 23 at 13:21 Moscow time. For the first time in Cobalt’s practice, phishing emails were sent acting as a major anti-virus vendor. The user received a «complaint» in English that activity was recorded from their computer that violated existing legislation. The recipient was asked to read the attached letter and provide detailed explanations. If the response was not received within 48 hours, the «anti-virus company» threatened to impose sanctions on the recipient’s web resources. In order to download the letter, the user was asked to follow the link, which would then infect the Bank employee’s computer.

It was not difficult to conduct attribution and confirm that the campaign was launched by Cobalt: the unique Trojan «Coblnt» was involved in the attack, which has been used by the group since December 2017. The operation is described in detail in Group-IB’s report. The emails were sent from a domain titled « Upon review it was discovered that this domain name was registered by a person with the same name as with previously registered domains for Cobalt attacks.

On May 28, 2018, 1 pm (Moscow time), Group-IB staff detected a new phishing campaign from the Cobalt group. Emails purporting to be from the European Central Bank were sent from the email address ‘v.constancio@ecb-europa[.]info’ to financial institutions. The phishing letter contains a link to the file ‘67972318.doc’, designed to appear as a document describing financial risks.

The Microsoft Word lure document triggers the exploitation of the CVE-2017-11882 vulnerability. After the file is executed, the malware will infect the bank’s system and establish initial persistence using a unique loader JS-backdoor, developed by Cobalt.
At this time, Group-IB experts are not ruling out that there are potentially other victims than only banks in Russia and CIS countries as the spear phishing emails were written in English suggesting foreign banks as targets.

Again, the company’s experts rate the quality of phishing emails as high. For example, in the May 23 attack, the text in English is stylized as a “legal complaint”, the fake website also has a high level of quality, which is not typical of Cobalt. These and other signs again pointed to the possibility that the remaining members of the Cobalt group were conducting a joint operation with other criminal groups, in particular, Anunak. Detailed information with technical indicators of the groups’ operation is provided in the report “Cobalt: Evolution and Joint Operations”.

Cobalt evolution

Cobalt first conducted attacks against banks in Hong Kong and the Ukraine which resulted in SWIFT incidents in the spring of 2016. In both events advanced understanding of banking technology and money laundering capabilities enabled the group to perform the attacks and successfully launder money. This was one of several key indicators described in our report that led to the first hypothesis that Cobalt was not acting alone.

Following the 2016 SWIFT incidents, attacks involving interbank transfer systems ceased and Cobalt switched focus to other critical systems in banks such as ATMs. This was followed by Card Processing attacks which provide a safer withdraw process for Money Mules. Cobalt’s first major attack was against First Bank in Taiwan where attackers managed to steal over $2 million dollars. Following this, Cobalt was then successful in targeting the card processing systems at a bank in Kazakhstan taking over two months to prepare their attack and successfully steal $600,000 through card processing. These attacks were then perfected and intensified in 2017 across tens of incidents.

Cobalt only conducted new attacks on SWIFT 18 months after the April 2016 incidents. In December 2017 for the first time in Russia, they made a successful attack on a bank through SWIFT. This incident was the first SWIFT theft in the history of the Russian banking industry.

Supply chain attacks and Cobalt’s non-typical targets

Throughout the last two years of activity, Cobalt’s has been highly active with group members continuously testing new methods and tools. In addition to banks, Cobalt has also targeted ‘supply chain’ attacks. In February 2017 Group-IB responded to a successful attack on a system integrator which Cobalt used as a vehicle to conduct further attacks on organizations in Russia and former CIS countries. In the 9 months following this incident, Cobalt infiltrated at least four IT Integrators including those in the US.

Cobalt’s attacks include other non-typical targets. In March 2017, they infiltrated a company providing electronic wallets and payment terminals, successfully stealing through a payment gateway. Back then Group-IB staff detected phishing emails disguised as «», an e-wallet payment system. It was a spear-phishing attack on the companies providing electronic wallets and payment terminals. Eight companies in Russia and Ukraine were the targets of this attack. During the incident, attackers managed to transfer more than USD 2 million. Cobalt has continued supply chain attack insurance agencies and the media. In these attacks, they obtain control of mail servers or accounts to further use the victim’s infrastructure for attacks on banks.

In September, Cobalt successfully attacked a company which produces software for payment terminals. In this incident Group-IB was able to discover clear evidence of Anunak involvement (SSH backdoor reuse) and ultimately confirmed the hypothesis of joint operations between the two groups.

Cobalt: armed and still dangerous

In 2017, Cobalt continued to modify their tools. The increasing technical capabilities demonstrate their continued investment into their attacks. For example, Cobalt used a modified version of Petya Ransomware to disrupt the bank’s networks after a failed attempt to steal from their ATM systems.

In 2018, major strides were made to disrupt Cobalt group’s operations when the leader was arrested by Europol and local law enforcement in Alicante, Spain. Following this arrest, Group-IB has continued to monitor new activity from the group, including attacks on March 10th, March 15th and even on the day of the announced arrest, March 26th with spear phishing emails sent to organizations acting as SpamHaus a non-profit organization that fights against spam. Campaigns continue to be tracked by Group-IB experts even as recently as April 3rd when emails were sent from compromised mail servers of a Swedish organization.

Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide. «We have technical proof of collaboration between Cobalt and Carbanak. In order to enable business and market regulators to take preventative measures against these criminals, we provide our customers indicators to protect them from phishing, identify the infrastructure and methods still used by these criminals.

Dmitry Volkov
Dmitry Volkov

Group-IB’s CTO, Head of Threat Intelligence Department

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.