Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Cobalt Group
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Cobalt Group
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.(Citation: Europol Cobalt Mar 2018)
ID: G0080
Associated Groups: Cobalt Spider, GOLD KINGSWOOD, Cobalt Gang
Version: 2.1
Created: 17 Oct 2018
Last Modified: 16 Apr 2025

Associated Group Descriptions
Name Description
Cobalt Spider (Citation: Crowdstrike Global Threat Report Feb 2018)
GOLD KINGSWOOD (Citation: Secureworks GOLD KINGSWOOD September 2018)
Cobalt Gang (Citation: Talos Cobalt Group July 2018) (Citation: Crowdstrike Global Threat Report Feb 2018)(Citation: Morphisec Cobalt Gang Oct 2018)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Cobalt Group has bypassed UAC.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Cobalt Group has used HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)
.004 Application Layer Protocol: DNS

Cobalt Group has used DNS tunneling for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.(Citation: Morphisec Cobalt Gang Oct 2018)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Cobalt Group has used powershell.exe to download and execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: RiskIQ Cobalt Jan 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
.003 Command and Scripting Interpreter: Windows Command Shell

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.(Citation: Morphisec Cobalt Gang Oct 2018) The group has used an exploit toolkit known as Threadkit that launches .bat files.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

.005 Command and Scripting Interpreter: Visual Basic

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

.007 Command and Scripting Interpreter: JavaScript

Cobalt Group has executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Cobalt Group has created new services to establish persistence.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Cobalt Group has used the Plink utility to create SSH tunnels.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1070 .004 Indicator Removal: File Deletion

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.(Citation: Talos Cobalt Group July 2018)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Cobalt Group has sent malicious Word OLE compound documents to victims.(Citation: Talos Cobalt Group July 2018)
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)
Enterprise T1588 .002 Obtain Capabilities: Tool

Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.(Citation: PTSecurity Cobalt Dec 2016)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
.002 Phishing: Spearphishing Link

Cobalt Group has sent emails with URLs pointing to malicious documents.(Citation: Talos Cobalt Group July 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Cobalt Group has created Windows tasks to establish persistence.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.(Citation: Morphisec Cobalt Gang Oct 2018)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. (Citation: Crowdstrike GTR2020 Mar 2020)
Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)
.008 System Binary Proxy Execution: Odbcconf

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.(Citation: TrendMicro Cobalt Group Nov 2017)

.010 System Binary Proxy Execution: Regsvr32

Cobalt Group has used regsvr32.exe to execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

Enterprise T1204 .001 User Execution: Malicious Link

Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)
.002 User Execution: Malicious File

Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)

Software
ID Name References Techniques
S0646 SpicyOmelette (Citation: Secureworks GOLD KINGSWOOD September 2018) JavaScript, Spearphishing Link, Code Signing, System Information Discovery, Data from Local System, System Network Configuration Discovery, Security Software Discovery, Remote System Discovery, Software Discovery, Ingress Tool Transfer, Malicious Link
S0154 Cobalt Strike (Citation: Crowdstrike Global Threat Report Feb 2018) (Citation: Group IB Cobalt Aug 2017) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Jan 2018) (Citation: RiskIQ Cobalt Nov 2017) (Citation: Talos Cobalt Group July 2018) (Citation: TrendMicro Cobalt Group Nov 2017) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Group IB Cobalt Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: PTSecurity Cobalt Group Aug 2017) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0284 More_eggs (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: ESET EvilNum July 2020) (Citation: SKID) (Citation: Security Intelligence More Eggs Aug 2019) (Citation: SpicyOmelette) (Citation: Talos Cobalt Group July 2018) (Citation: Terra Loader) (Citation: Visa FIN6 Feb 2019) System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Internet Connection Discovery, Symmetric Cryptography, Code Signing, System Information Discovery, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, Regsvr32, Security Software Discovery, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer
S0195 SDelete (Citation: Microsoft SDelete July 2016) (Citation: PTSecurity Cobalt Dec 2016) Data Destruction, File Deletion
S0029 PsExec (Citation: Group IB Cobalt Aug 2017) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  2. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
  3. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  4. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  5. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  6. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
  7. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  8. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  9. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  10. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  11. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  12. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  13. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  14. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.