Latest campaign by the hard-to-kill cybercrime group hides malicious code behind legitimate files, Windows processes.

The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.

The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Netscout ASERT, which analyzed the group's latest attack campaign.

"I think it's more of a redundancy thing with the two vectors," Hummel says, noting that it's relatively unusual for attackers to have two malicious links in one phish. "We've seen where they have a malicious attachment and a malicious link, but not two malicious links. That was different."

Carbanak/Cobalt/FIN7's resilience runs deep, and its tentacles wide. In late March, Spanish police arrested the alleged leader of the organization, which is believed to have stolen more than $1.2 billion from 100-plus banks across 40 countries since it was first observed in 2013. His name was not released, but Spanish authorities reportedly said he was a Ukrainian and identified as "Denis K."

In August, the US Department of Justice announced that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. US law enforcement officials said the cybercrime group stole payment card data from millions of customers via more than 100 US retail companies, including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Experts say the group's ability to continue its operations despite the high-level arrests of its leaders, as well as the regular exposure by security researchers of its cyberattack campaigns, demonstrates how hard it is to fully shutter a massive cybercrime operation with global ties.

"There are a lot of people involved in this operation," Hummel says. Arresting someone at the top is akin to a botnet "takedown," where plenty of other members continue the operation, even without the botnet operator or, in Carbanak/Cobalt/FIN7's case, its lead.

But FireEye, which came up with the FIN7 name, considers FIN7 and Cobalt Group (also known as TEMP.MetaStrike) as separate entities that sometimes use the same attack tools.

"One point of common confusion has been both FIN7 and TEMP.MetaStrike’s connections to Carbanak," says Kimberly Goody, manager of financial crime analysis at FireEye. "FireEye has previously reported publicly that we track multiple distinct clusters of activity dating back to 2013 that have used this malware. Based on these observations, we believe the most likely scenario is that this malware is used by a small number of groups, who may be sharing techniques and tools for their different operations." 

ASERT researchers first spotted the latest attack campaign on Aug. 13, targeting financial institutions in Eastern Europe and Russia with convincing-looking spear-phishing emails that purported to be from a financial vendor or partner of the targeted institution. ASERT identified two specific bank targets: NS Bank in Russia and Banca Comerciala Carpatica/Patria Bank in Romania.

The cybercrime group is well-known for its slick and realistic-looking spear-phishing emails that contain malicious Word documents and other attachments. The attacks found by ASERT researchers include malware that can bypass Windows AppLocker whitelisting by employing legitimate Windows processes that AppLocker does not block by default: regsvr32.exe and cmstp.exe. 

Cisco Talos researchers last month found the group employing an email posing as the European Banking Federation, with a spoofed email address. In that case, the attachment was a malicious PDF file that included an URL leading to exploits for CVE-2017-11882CVE-2017-8570, and CVE-2018-8174. "The final payload is a JScript backdoor ... that allows the attacker to control the affected system remotely," Talos said in a blog post on the campaign, as well as others that use similar tools and techniques as Carbanak/Cobalt.

The Payloads
ASERT researchers found in the latest campaign that the malicious Word file contains hidden VBA scripts, and the JPG file contains a binary file – both with malicious code calling out to two command-and-control servers known to be run by Carbanak/Cobalt/FIN7. "What they plan to do with the current campaign is unclear," Hummel says. "But they are trying to get two backdoors installed and get into the network," possibly to gain a foothold, he says.

Hummel says there are least five other registered domains, although his team likely only scratched the surface of the entire campaign.

The URL that loads the malicious, VBA script-rigged Word document operates if macros are enabled. The script then launches cmstp.exe with an INF file to sneak past AppLocker, and downloads a remote payload – a JavaScript backdoor – that gets executed. A DLL file posing as a text file launches the final piece of malcode using regsvr32.exe.

The JPEG contains a URL with multiple layers of obfuscation, and calls out to the C2 server for more payloads.

ASERT has alerted the victim organizations and recommends that financial institutions train users about what to click and what not to click. "Criminal actors are a lot better at crafting well-done spear phishes where the sender looks like it's coming from someone inside the organization," Hummel says, so users need help knowing what to do.

"Most stand-alone email clients and browsers allow corporate policy to disable scripting by default, unless it's coming from internal sources," he adds.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights