Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Cobalt Group
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Cobalt Group
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.(Citation: Europol Cobalt Mar 2018)
ID: G0080
Associated Groups: GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
Version: 2.0
Created: 17 Oct 2018
Last Modified: 18 Oct 2021

Associated Group Descriptions
Name Description
GOLD KINGSWOOD (Citation: Secureworks GOLD KINGSWOOD September 2018)
Cobalt Gang (Citation: Talos Cobalt Group July 2018) (Citation: Crowdstrike Global Threat Report Feb 2018)(Citation: Morphisec Cobalt Gang Oct 2018)
Cobalt Spider (Citation: Crowdstrike Global Threat Report Feb 2018)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Cobalt Group has bypassed UAC.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Cobalt Group has used HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)
.004 Application Layer Protocol: DNS

Cobalt Group has used DNS tunneling for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.(Citation: Morphisec Cobalt Gang Oct 2018)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Cobalt Group has used powershell.exe to download and execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: RiskIQ Cobalt Jan 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
.003 Command and Scripting Interpreter: Windows Command Shell

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.(Citation: Morphisec Cobalt Gang Oct 2018) The group has used an exploit toolkit known as Threadkit that launches .bat files.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

.005 Command and Scripting Interpreter: Visual Basic

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

.007 Command and Scripting Interpreter: JavaScript

Cobalt Group has executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Cobalt Group has created new services to establish persistence.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Cobalt Group has used the Plink utility to create SSH tunnels.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1070 .004 Indicator Removal: File Deletion

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.(Citation: Talos Cobalt Group July 2018)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Cobalt Group has sent malicious Word OLE compound documents to victims.(Citation: Talos Cobalt Group July 2018)
Enterprise T1588 .002 Obtain Capabilities: Tool

Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.(Citation: PTSecurity Cobalt Dec 2016)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
.002 Phishing: Spearphishing Link

Cobalt Group has sent emails with URLs pointing to malicious documents.(Citation: Talos Cobalt Group July 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Cobalt Group has created Windows tasks to establish persistence.(Citation: Group IB Cobalt Aug 2017)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.(Citation: Morphisec Cobalt Gang Oct 2018)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. (Citation: Crowdstrike GTR2020 Mar 2020)
Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)
.008 System Binary Proxy Execution: Odbcconf

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.(Citation: TrendMicro Cobalt Group Nov 2017)

.010 System Binary Proxy Execution: Regsvr32

Cobalt Group has used regsvr32.exe to execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)

Enterprise T1204 .001 User Execution: Malicious Link

Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)
.002 User Execution: Malicious File

Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)

Software
ID Name References Techniques
S0646 SpicyOmelette (Citation: Secureworks GOLD KINGSWOOD September 2018) System Information Discovery, Software Discovery, Spearphishing Link, Data from Local System, Ingress Tool Transfer, System Network Configuration Discovery, JavaScript, Malicious Link, Remote System Discovery, Code Signing, Security Software Discovery
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Crowdstrike Global Threat Report Feb 2018) (Citation: Group IB Cobalt Aug 2017) (Citation: Proofpoint Cobalt June 2017) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: RiskIQ Cobalt Jan 2018) (Citation: RiskIQ Cobalt Nov 2017) (Citation: Talos Cobalt Group July 2018) (Citation: TrendMicro Cobalt Group Nov 2017) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Group IB Cobalt Aug 2017) (Citation: PTSecurity Cobalt Dec 2016) (Citation: PTSecurity Cobalt Group Aug 2017) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0284 More_eggs (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: ESET EvilNum July 2020) (Citation: Security Intelligence More Eggs Aug 2019) (Citation: SKID) (Citation: SpicyOmelette) (Citation: Talos Cobalt Group July 2018) (Citation: Terra Loader) (Citation: Visa FIN6 Feb 2019) Ingress Tool Transfer, Internet Connection Discovery, Deobfuscate/Decode Files or Information, System Information Discovery, Web Protocols, Symmetric Cryptography, Windows Command Shell, Obfuscated Files or Information, File Deletion, System Network Configuration Discovery, Standard Encoding, Security Software Discovery, Code Signing, Regsvr32, System Owner/User Discovery
S0195 SDelete (Citation: Microsoft SDelete July 2016) (Citation: PTSecurity Cobalt Dec 2016) File Deletion, Data Destruction
S0029 PsExec (Citation: Group IB Cobalt Aug 2017) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  2. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  3. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  4. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
  5. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  6. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  7. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  8. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  9. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  10. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  11. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  12. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  13. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  14. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.