Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks

Latest campaign by the hard-to-kill cybercrime group hides malicious code behind legitimate files, Windows processes.

The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.

The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Netscout ASERT, which analyzed the group's latest attack campaign.

"I think it's more of a redundancy thing with the two vectors," Hummel says, noting that it's relatively unusual for attackers to have two malicious links in one phish. "We've seen where they have a malicious attachment and a malicious link, but not two malicious links. That was different."

Carbanak/Cobalt/FIN7's resilience runs deep, and its tentacles wide. In late March, Spanish police arrested the alleged leader of the organization, which is believed to have stolen more than $1.2 billion from 100-plus banks across 40 countries since it was first observed in 2013. His name was not released, but Spanish authorities reportedly said he was a Ukrainian and identified as "Denis K."

In August, the US Department of Justice announced that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. US law enforcement officials said the cybercrime group stole payment card data from millions of customers via more than 100 US retail companies, including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Experts say the group's ability to continue its operations despite the high-level arrests of its leaders, as well as the regular exposure by security researchers of its cyberattack campaigns, demonstrates how hard it is to fully shutter a massive cybercrime operation with global ties.

"There are a lot of people involved in this operation," Hummel says. Arresting someone at the top is akin to a botnet "takedown," where plenty of other members continue the operation, even without the botnet operator or, in Carbanak/Cobalt/FIN7's case, its lead.

But FireEye, which came up with the FIN7 name, considers FIN7 and Cobalt Group (also known as TEMP.MetaStrike) as separate entities that sometimes use the same attack tools.

"One point of common confusion has been both FIN7 and TEMP.MetaStrike’s connections to Carbanak," says Kimberly Goody, manager of financial crime analysis at FireEye. "FireEye has previously reported publicly that we track multiple distinct clusters of activity dating back to 2013 that have used this malware. Based on these observations, we believe the most likely scenario is that this malware is used by a small number of groups, who may be sharing techniques and tools for their different operations." 

ASERT researchers first spotted the latest attack campaign on Aug. 13, targeting financial institutions in Eastern Europe and Russia with convincing-looking spear-phishing emails that purported to be from a financial vendor or partner of the targeted institution. ASERT identified two specific bank targets: NS Bank in Russia and Banca Comerciala Carpatica/Patria Bank in Romania.

The cybercrime group is well-known for its slick and realistic-looking spear-phishing emails that contain malicious Word documents and other attachments. The attacks found by ASERT researchers include malware that can bypass Windows AppLocker whitelisting by employing legitimate Windows processes that AppLocker does not block by default: regsvr32.exe and cmstp.exe. 

Cisco Talos researchers last month found the group employing an email posing as the European Banking Federation, with a spoofed email address. In that case, the attachment was a malicious PDF file that included an URL leading to exploits for CVE-2017-11882CVE-2017-8570, and CVE-2018-8174. "The final payload is a JScript backdoor ... that allows the attacker to control the affected system remotely," Talos said in a blog post on the campaign, as well as others that use similar tools and techniques as Carbanak/Cobalt.

The Payloads
ASERT researchers found in the latest campaign that the malicious Word file contains hidden VBA scripts, and the JPG file contains a binary file – both with malicious code calling out to two command-and-control servers known to be run by Carbanak/Cobalt/FIN7. "What they plan to do with the current campaign is unclear," Hummel says. "But they are trying to get two backdoors installed and get into the network," possibly to gain a foothold, he says.

Hummel says there are least five other registered domains, although his team likely only scratched the surface of the entire campaign.

The URL that loads the malicious, VBA script-rigged Word document operates if macros are enabled. The script then launches cmstp.exe with an INF file to sneak past AppLocker, and downloads a remote payload – a JavaScript backdoor – that gets executed. A DLL file posing as a text file launches the final piece of malcode using regsvr32.exe.

The JPEG contains a URL with multiple layers of obfuscation, and calls out to the C2 server for more payloads.

ASERT has alerted the victim organizations and recommends that financial institutions train users about what to click and what not to click. "Criminal actors are a lot better at crafting well-done spear phishes where the sender looks like it's coming from someone inside the organization," Hummel says, so users need help knowing what to do.

"Most stand-alone email clients and browsers allow corporate policy to disable scripting by default, unless it's coming from internal sources," he adds.

Related Content:



Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.