Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/30/2018
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks

Latest campaign by the hard-to-kill cybercrime group hides malicious code behind legitimate files, Windows processes.

The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.

The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Netscout ASERT, which analyzed the group's latest attack campaign.

"I think it's more of a redundancy thing with the two vectors," Hummel says, noting that it's relatively unusual for attackers to have two malicious links in one phish. "We've seen where they have a malicious attachment and a malicious link, but not two malicious links. That was different."

Carbanak/Cobalt/FIN7's resilience runs deep, and its tentacles wide. In late March, Spanish police arrested the alleged leader of the organization, which is believed to have stolen more than $1.2 billion from 100-plus banks across 40 countries since it was first observed in 2013. His name was not released, but Spanish authorities reportedly said he was a Ukrainian and identified as "Denis K."

In August, the US Department of Justice announced that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. US law enforcement officials said the cybercrime group stole payment card data from millions of customers via more than 100 US retail companies, including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Experts say the group's ability to continue its operations despite the high-level arrests of its leaders, as well as the regular exposure by security researchers of its cyberattack campaigns, demonstrates how hard it is to fully shutter a massive cybercrime operation with global ties.

"There are a lot of people involved in this operation," Hummel says. Arresting someone at the top is akin to a botnet "takedown," where plenty of other members continue the operation, even without the botnet operator or, in Carbanak/Cobalt/FIN7's case, its lead.

But FireEye, which came up with the FIN7 name, considers FIN7 and Cobalt Group (also known as TEMP.MetaStrike) as separate entities that sometimes use the same attack tools.

"One point of common confusion has been both FIN7 and TEMP.MetaStrike’s connections to Carbanak," says Kimberly Goody, manager of financial crime analysis at FireEye. "FireEye has previously reported publicly that we track multiple distinct clusters of activity dating back to 2013 that have used this malware. Based on these observations, we believe the most likely scenario is that this malware is used by a small number of groups, who may be sharing techniques and tools for their different operations." 

ASERT researchers first spotted the latest attack campaign on Aug. 13, targeting financial institutions in Eastern Europe and Russia with convincing-looking spear-phishing emails that purported to be from a financial vendor or partner of the targeted institution. ASERT identified two specific bank targets: NS Bank in Russia and Banca Comerciala Carpatica/Patria Bank in Romania.

The cybercrime group is well-known for its slick and realistic-looking spear-phishing emails that contain malicious Word documents and other attachments. The attacks found by ASERT researchers include malware that can bypass Windows AppLocker whitelisting by employing legitimate Windows processes that AppLocker does not block by default: regsvr32.exe and cmstp.exe. 

Cisco Talos researchers last month found the group employing an email posing as the European Banking Federation, with a spoofed email address. In that case, the attachment was a malicious PDF file that included an URL leading to exploits for CVE-2017-11882CVE-2017-8570, and CVE-2018-8174. "The final payload is a JScript backdoor ... that allows the attacker to control the affected system remotely," Talos said in a blog post on the campaign, as well as others that use similar tools and techniques as Carbanak/Cobalt.

The Payloads
ASERT researchers found in the latest campaign that the malicious Word file contains hidden VBA scripts, and the JPG file contains a binary file – both with malicious code calling out to two command-and-control servers known to be run by Carbanak/Cobalt/FIN7. "What they plan to do with the current campaign is unclear," Hummel says. "But they are trying to get two backdoors installed and get into the network," possibly to gain a foothold, he says.

Hummel says there are least five other registered domains, although his team likely only scratched the surface of the entire campaign.

The URL that loads the malicious, VBA script-rigged Word document operates if macros are enabled. The script then launches cmstp.exe with an INF file to sneak past AppLocker, and downloads a remote payload – a JavaScript backdoor – that gets executed. A DLL file posing as a text file launches the final piece of malcode using regsvr32.exe.

The JPEG contains a URL with multiple layers of obfuscation, and calls out to the C2 server for more payloads.

ASERT has alerted the victim organizations and recommends that financial institutions train users about what to click and what not to click. "Criminal actors are a lot better at crafting well-done spear phishes where the sender looks like it's coming from someone inside the organization," Hummel says, so users need help knowing what to do.

"Most stand-alone email clients and browsers allow corporate policy to disable scripting by default, unless it's coming from internal sources," he adds.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...