Doubling down on Cobalt Group activity.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Richard Hummel: [00:01:42] Initially, one of my analysts was sifting through some spam data on some campaigns that he was observing.
Dave Bittner: [00:01:47] That's Richard Hummel. He's manager of threat intelligence with the Netscout Arbor ASERT team. We're discussing their research on the Cobalt Group attacks. The research is titled, "Double the Infection, Double the Fun."
Richard Hummel: [00:02:00] Something stood out to him, specifically around this activity, in that he was looking at a particular phishing email and found out that there were two different malicious URLs in the same body or content of that email. And that struck him as unusual, because typically you have a single malicious link, or you have a malicious attachment and then perhaps a single link as well. But to have two different URLs pointing to two different potential payloads struck him as odd.
Richard Hummel: [00:02:26] So he started doing a little bit of research, and through a series of investigation looking at that email address where the spam phishing was coming from, he tracked it back to five or six different domains that were being used. And they all had a particular theme to them. They were all financial services or payment processors. And to him, that definitely stood out as, hey, maybe this is something a little bit more nefarious, maybe there's a little bit of sophistication and organization around this. So he started digging through it and he started analyzing the payloads that those two URLs led to, it turns out that they shared similarities with some malware that Cobalt Group has used in the past. So that's kind of what kicked everything off for this research.
Dave Bittner: [00:03:07] I see. So, describe to us - what's the background? What do you know about Cobalt Group?
Richard Hummel: [00:03:13] So we haven't been tracking them for a very long time, but they've been active since around 2016, from what we can tell. And their, you know, primary goal is financial motivation. So anything they can do to cash out - they've been known to do some ATM thefts, they've been known to target SWIFT payment systems. There's some public reporting out there, I believe, from Group-IB, that talked about individual SWIFT attacks costing upwards of $1.5 million per incident. So we definitely know that their primary objective and their apparent motivation is to target anybody that has some monetary assets that can then steal.
Richard Hummel: [00:03:47] How they do that, I think, depends on what organization they get into. And at that point, may be an opportunistic, hey, we're into this organization, they're a bank, maybe we can compromise some accounts. Hey, it's SWIFT, let's see if we can do an attack on a SWIFT network. Maybe we get into a bank that has a bunch of ATMs worldwide. They get a bunch of users' credentials, they get their payment cards, and then they organize this cash-out operation.
Richard Hummel: [00:04:10] So, a lot of what we're seeing with this targeting is, you know, we call it these two specific campaigns. But based on the different domains that are registered by the apparent owner, it looks like there's more than just these two. And I think, in a response to our blog, one of the analysts that had been working at this for a while - I think it is either Group-IB or Talos, I forget which one - they had said that, since one of the actors associated with Cobalt Group activity had been arrested, they've seen seventeen different organizations either targeted or masqueraded as.
Richard Hummel: [00:04:42] So they're definitely not sitting on their hands. You know, an apparent arrest of a supposedly a high-level operator didn't really do a whole lot to diminish their activity. And in every instance, it seems like they're going after financial institutions. There are a couple of instances where they may have masqueraded as an antivirus, like Kaspersky. But predominantly, it seems like they're targeting various financial organizations in different regions, even targeting in Russia, although these are suspected to be kind of a Russian-origination type group.
Dave Bittner: [00:05:13] Hmm. So, let's walk through what you discovered here. I mean, you have this initial email that points to a couple of different payloads. Let's dig into it.
Richard Hummel: [00:05:20] Sure. So, the email itself - we've got two different payloads. And what was notable about this is, when we started looking at some of the recent Cobalt Group activity - and Talos had actually released something the week prior - they were talking about these campaigns targeting new financial institutions, and they were using CVEs in some, like, malicious or weaponized documents. When we first started looking at this activity, we hadn't seen any other public reporting or any other security researchers reporting on this new wave of campaigns.
Richard Hummel: [00:05:49] But when we got it, we weren't actually seeing the CVEs. Instead, we saw this email that had a link to a JPEG file, and then also to a document that actually had a Visual Basic script in it that would require a user to enable that content or scripts to run on their system and then detonate it. Both of these different methods eventually leading to a JavaScript backdoor that we've analyzed. The email itself - or at least the first one that we came across - appeared to target NS Bank in Russia, and it was coming from something called "Interkassa," which is actually a payment platform. And so it's, you know, a vendor that they potentially use for their services. It appeared somewhat legitimate. The content is tailored - or seemed to be tailored - towards the financial organization.
Richard Hummel: [00:06:35] And the second campaign that we looked at came from our recently partnered for intel organization, Intel471. We asked them to look into this activity to see if they had anything in parallel, and they uncovered this other campaign targeting a Romanian bank - I believe it's Banca Comerciala Carpatica...
Dave Bittner: [00:06:51] Hmm.
Richard Hummel: [00:06:50] ...If I pronounced that correctly. Used to be called Patria Bank, but I believe in 2017 they merged. So they're one and the same now. But it appeared that the second wave or second campaign was targeting this institution, and of course coming from something called SEPA Europe, talking about different coverage areas and that they recently expanded, and if they wanted to know more information to click on this link. That particular campaign was using the CVEs that have been reported the week prior.
Richard Hummel: [00:07:17] So you see, you know, two different campaigns, three different methods, one being a JPEG file that was actually a binary, the other being a malicious document that had a VBScript, and then you also see CVEs. So three parallel campaigns, three different types of payloads, three initial intrusion vectors. So it's fairly interesting that there's all this happening, and especially having two different intrusion vectors in one single email was kind of notable to us.
Richard Hummel: [00:07:42] Through the process of getting it installed - we have some graphics on the site. Once the detonation occurs, you have this document that then drops or launches the Word macro. From there, it reaches out to a specific C2 that the actor has registered to grab it - info.txt - masquerading as a text file but in fact is actually a binary. And then from there, it's actually going to use Windows built-in executables in order to detonate itself, whether that's to hide functionality or to avoid AV scanners, but it uses cmd.exe, it uses some taskkill.exe applications to kill the processes, and then it'll also use the cmd.exe to execute a document that's actually a decoy document.
Richard Hummel: [00:08:28] And then from there, it uses something called "regsvr32.exe," which is basically a Windows system tool to launch the actual file. From there, it actually reaches out and downloads another text file. And inside the text file is actually the JavaScript backdoor, and it uses yet another system tool in order to actually detonate that. So you can see several different layers here. There's different execution chains. And it appears that they're doing this to get around some things. In one particular infection chain they actually use an INF file which, depending on how you use it, has been known to get around Windows AppLocker. So we see a little bit of obfuscation there and a little bit of anti-analysis built them.
Dave Bittner: [00:09:08] It's overwriting itself in RAM? Is that what's going on?
Richard Hummel: [00:09:12] So the malware itself, I don't necessarily believe it's overwriting anything. It definitely creates persistence. It installs itself into the registry, but I don't necessarily think that it's overwriting a binary itself. What happens is, when it's detonating this, you have two different threads - one you have the malicious activity that's occurring, but then you also have a cmd.exe command that's sent over to open those arbitrary or benign Word documents. So, the user's going to see whether it's a blank Word document or maybe it does have information related to the particular spam message that was sent. It could be decoy information, maybe they copy and pasted it from the web. But that's what the user is going to see. Meanwhile, in the background, you're going to have the malicious activity occurring to actually, you know, initiate or execute this backdoor.
Dave Bittner: [00:09:58] I see. And so once the back door has been installed, what sort of functionality does it have?
Richard Hummel: [00:10:05] So primarily, it's got a kind of a keep-alive so it can beacon out to the C2. It has the ability to download and execute additional binary files. It can download and update itself, and then it can do some type of deletion of itself, as well as the registry entries that it creates, and then it can execute new copies of itself if it can, via some other method. The last command is actually - seems to be plug-and-play. There's a couple of different names for it. In the particular sample that we had, it's called "vai_x," and that basically allows the attacker to remote in and to execute commands on the command line prompt.
Dave Bittner: [00:10:42] Now, based on what you've been able to see with the phishing emails, how targeted is this campaign?
Richard Hummel: [00:10:49] One of the things that I was recently talking to with another journalist was the idea of this group targeting. We know that they're targeting financial institutions, but are they singling out this particular organization, or these two particular organizations? I don't necessarily know that that's their end-goal. Like, of all the campaigns they sent out, they're specifically targeting these two organizations.
Richard Hummel: [00:11:11] One of the things that we hypothesize - and this is speculation at this point, but some of the information about the different types of domains they have registered support this, as well as other security researchers that have made comment - is that they may have a whole list of financial institutions that they would love to get into. Maybe they know of some way that they can exploit them, or they can commit fraud, or they know how to get monetary gain from these particular organizations.
Richard Hummel: [00:11:36] And so maybe they take this whole list, they curate it, and they say, okay, of this list of one hundred, maybe these thirty we have a chance at getting into, or maybe we have lists of employees' email addresses from XYZ organizations, so let's go ahead and, you know, start with this subset, and we'll do semi-crafted or semi-targeted emails that look like they're coming from maybe potential partners, or an organization or entity that might have some type of dealing with the targeted organization. Then we put these emails together and we kind of blast it out to whoever we have in our list of people to target.
Richard Hummel: [00:12:09] And then whoever bites, that's their hook. It could be that they don't necessarily know what they're going to do with these organizations once they get in. Maybe they're just kind of spray-and-pray, and they just target fifty different organizations, they hope two or three of them get compromised, and then from there, they can figure out, okay, we just compromised a financial institution that has ATMs, or maybe we have a banking network to go after, or maybe it is SWIFT again. Maybe they have a point-of-sale and we want to pivot and do something a little bit different.
Richard Hummel: [00:12:35] So I think at this point it's like, get in, establish that foothold, and that's kind of what we see with these two backdoors. This - they're very much establishing their foothold. They don't have keyloggers. They don't necessarily have credential theft capabilities. They're basically - they get in, they an allow an attacker to remote and send arbitrary commands, and then download additional payloads. So what they're going to do after this point, we don't know. We haven't actually seen a actual compromise or seen into a network that has this running. So we don't necessarily know what the attackers' end-game is, or their particular purposes for targeting these two organizations.
Dave Bittner: [00:13:07] I see. Now, have you had any success with, you know, polling the command-and-control servers, or reaching out to see what they may or may not respond to?
Richard Hummel: [00:13:17] So when we were first analyzing this there was definitely still some of them live, and after several days of putting this together, I had my analyst go back and verify that a couple of them were live. And while we can say that they're live, we were able to glean any additional information that isn't represented in the blog. However, we did come across a new binary that we're still in the process of analyzing, and even in just the week or so since we started putting all this together, we've seen slight changes, where it looks like they're paying attention to what other security researchers are saying. I told you before - the week before ours came out, Talos had put something out about these new campaigns.
Dave Bittner: [00:13:54] Right.
Richard Hummel: [00:13:54] And my analysts started to see slight changes, and it's kind of hard to say that they were indicative of the operators observing the security research, and they realized that somebody figured out their TTPs. It could be that they're just always in a state of evolution, as we see here with this phishing email having two different potential payloads. It seems like they're kind of trying different things, seeing what works, what doesn't work, or maybe they're just adding a bunch of different methods into their toolkit with the hopes of having the most success.
Dave Bittner: [00:14:25] Now, with the dual payloads, does that - in addition to increasing the odds of infection - does that also, in the same way, increase the odds of it being detected?
Richard Hummel: [00:14:37] You know, that's interesting, because when you think about it, if a user is not going to click on one link, there's no reason to think that they would click on a second link.
Dave Bittner: [00:14:45] Hmm.
Richard Hummel: [00:14:44] So did they do it for redundancy? I don't know. Did they do it in the hopes that maybe one URL makes it through some type of a scanner or AV? I don't know, because if there's a malicious URL in an email that, whole email is typically blacklisted. So I don't exactly know their reasoning behind having these two different URLs. Maybe they put it together and they they hyperlinked the campaign, and they didn't realize they put one URL into one hyperlink and another URL into a different one. I mean, it could have been as simple as a mistake. But it was just interesting in this email because we don't typically see that tactic.
Dave Bittner: [00:15:17] Yeah. Now, do you have any sense for how large a campaign this is? How many of these phishing emails have gone out?
Richard Hummel: [00:15:23] We don't. We've only observed - in both of these campaigns, we only observed that one phishing email, both of which are available in public resources like a VirusTotal. So it's definitely not, like, a secretive thing. It's not like we're capturing spam off the wire. What we were looking at was something that was already captured, or was already made public, but VirusTotal actually had zero hits of malicious nature inside the content of it. So those URLs that were being used were not being flagged as malicious. So that further lended reasoning for us to look into this, because if they are malicious and they do have payloads, then there should be something marking it as malicious.
Dave Bittner: [00:15:58] And so, in terms of organizations protecting themselves, what do you recommend?
Richard Hummel: [00:16:03] Any time I have this question when we're talking about spam or any type of phishing, the same answer comes out, and that's user education. It's imperative for a user to know what they're clicking on. If they're not expecting an email from somebody, to verify where it's coming from. One of the things that we do at our organization is, any time we get an email external to our mail servers, it's tagged as external email. So that should be the first indicator, the first flag that's something that's coming from outside of our network, and I want to verify before I click on anything.
Richard Hummel: [00:16:30] Same thing with the actual URLs themselves. Just because it looks like it's www.google.com, it could be a hyperlink to some other URL, so you want to ensure - maybe you do a right click and copy-paste to see what that URL actually is. A lot of times if you hover over the hyperlink you can actually see the real URL underneath. When it comes to, like, attachments, in the case of one of those URLs downloading a malicious document, the document required a user to enable content, if it wasn't already enabled, which - many organizations and enterprises, by default, have that disabled for this particular reason. You don't want that to happen. Because it used to be, like, macros and scripts were the predominant way that attackers were using for these phishing campaigns.
Dave Bittner: [00:17:12] Right.
Richard Hummel: [00:17:12] So there's a lot of group policies now where you can basically go and disable that. Office 365 actually has a really good policy in that, if there's a macro that comes from an external source to your environment, disallow execution of scripts. So there are different things that all of these different providers, these browsers, the mail providers, are building in these tools to manage it at a group level. I believe at this point, all of the main browsers - Chrome, Internet Explorer, and Firefox - all have the capability to disallow scripts from executing, as well as visiting suspect sites. So there's a number of different things you can do, but I think a lot of it boils down to individuals with an organization recognizing something that's potentially phishing when it comes into their inbox.
Dave Bittner: [00:17:58] Our thanks to Richard Hummel for joining us. He's from Netscout's ASERT team. The research is titled "Double the Infection, Double the Fun." We'll have a link in the show notes.
Dave Bittner: [00:18:09] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:18:17] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:18:26] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.