“Even if an attacker uses commodity builders and tools, there is always a chance to find specific signals or characteristics that help to identify and track an actor’s infrastructure”
Six months after “Denis K”, the Ukrainian “mastermind” of global bank hacking group Cobalt/Carbanak was arrested in Spain’s Alicante following an investigation that involved Europol, the FBI, the Belarussian, Moldovan, Romanian, Spanish and Taiwanese authorities, the group is still active, Unit 42 has warned.
The criminal syndicate entered the public imagination in 2013 with a series of audacious “jackpotting” attacks that caused bank ATMs to spew notes to waiting cash mules.
It has since increased in sophistication and struck banks in more than 40 countries, using a combination of social engineering and spear phishing. Europol says the group has cost the financial industry €1 billion.
Now Palo Alto Networks’ threat intelligence team, Unit 42, has released fresh research that shows persistent activity by Cobalt/Carbanak after their supposed leader’s arrest – and says it has been able to identify code that allows threat researchers to better track the group’s activity, if not identify them.
Cobalt/Carbanak Attacks Show Unique Characteristics Despite Use of Commodity Tools
In a recent blog, Unit 42 researchers said: “Nowadays, it’s very easy for an advanced attacker to use commodity [off-the-shelf] tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution.”
“One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).”
But they added: “Even if an attacker uses commodity builders and tools, there is always a chance to find specific signals or characteristics that help to identify and track an actor’s infrastructure.
“We have been able to identify both the use of a common macro builder as well as specific document metadata which have allowed us to track and cluster new activity and infrastructure associated with the Cobalt Gang.”
One of the latest examples related to the campaign under analysis was used in attacks just a few days ago, Unit 42 noted, adding that it shows the simplicity of the attack delivery employed by this group – and reinforces the fact that email is still one of the primary attack vectors its researchers continuously observe.
The Anatomy of a Cobalt/Carbanak Attack
This attack begins by targeting employees at several banking entities across the globe using an email with subject “Confirmations on October 16, 2018”.
The attachment is just a PDF document without any kind of code or exploit. Instead it seeks to use social engineering to convince the user click a link to download a malicious macro; a method discussed in previous research, for example by Talos.
The pdf embeds a link that will open a legitimate Google location, and redirect the browser to a malicious document from there. In order to be effective against static analysis tools, the PDF that attackers crafted contains empty pages as well as some text pages; these help reduce the risk of raising red flags during analysis.
If the attack progresses, the user is taken to the download of an MS Word document containing malicious macros that has very low detection rate at the moment of this campaign delivery. From a metadata standpoint, the document does not include any specific signal or characteristic that would help researchers tracking documents from the same author.
“The downloaded malicious macro uses cmstp.exe to run a ‘scriptlet’, a technique well known to bypass AppLocker, and continues with the next stages of the payload delivery.,” Unit 42 noted.
But this 1500-line macro code has some unique characteristics and using a “YARA” rule the researchers were able to identify the builder as well as a set of malicious documents using it.
Further analysis of the pdf documents also revealed insight into the group’s modus operandi and together Unit 42 could start to move towards finding attacker infrastructure pieces based on multiple aspects, such as session data obtained by its telemetry, or public WHOIS registrar data.
As Unit 42 notes (with reference to the above graph):
- The initial cluster of PDF documents, on the left, links to specific domains for the download of Microsoft Office files using the macro builder structure.
- Some of the domains in use are publicly registered with the name of “grigoredanbanescu” and allow us to find other related domains, which are already linked to previous Cobalt Gang activity.
- Some of the initial PDFs have relations with Microsoft Office files linked to “grigoredanbanescu” activity, confirming again the relationships.
Focussing on specific aspects of the macro builders and metadata the actors left behind Unit 42 was able to develop new mechanisms to track and hunt Cobalt Gang activity and infrastructure, allowing it to detect malware samples used by this campaign, set up traps that prevent such attacks at the endpoint and create an “autofocus” tag to track CobaltGang actor group. Ultimately however what the research reveals is that take on player out of the action has failed to reduce activity in a highly commoditised market that is making identification difficult for networks defenders and threat hunters.