Researchers at security firm Netscout have discovered a financially motivated cyber attack campaign that could be linked to the Cobalt Group, which is believed to be responsible for cyber heists costing millions.
Similarities in phishing emails used in the new ongoing campaign targeting financial institutions in Eastern Europe and Russia led researchers to suspect a link to the Cobalt group, which has targeted mainly financial organisations in the past, often by using automatic teller machine (ATM) malware.
The latest campaign, discovered on 13 August, is using spear phishing attacks to steal legitimate credentials to bypass security defences and gain entry to banking IT systems. The emails appear to come from a financial supplier or partner, increasing the likelihood of infection.
One phishing email analysed by the researchers contained two malicious links. One is a weaponised Word document that contains obfuscated VBA [Visual Basic for Applications] scripts, and the other is a binary (executable file) with a .jpg image file extension.
Making use of separate infection points in one email with two separate command and control servers is unusual and could be aimed at increasing the likelihood of success, the researchers said.
The binaries analysed contained two unique command and control servers, which Netscout researchers believe are owned and operated by the Cobalt hacking group.
They think the cyber attack group will continue targeting financial organisations in Eastern Europe and Russia based on the attack methods in this campaign.
Banking and other financial institutions are advised to ensure that employees are trained to spot phishing emails.
These and other organisations should also ensure they have the capability to inspect emails closely to identify fake domains that might contain malicious attachments or links.
Cobalt Group’s operations appear to be continuing despite the arrest earlier this year of the suspected mastermind behind the bank heists by the Cobalt and Carbanak groups.
The wider criminal operation uses both Cabanak and Cobalt malware and is linked to the theft of up to $1bn from financial institutions in more than 40 countries.
According to Europol, the Cobalt malware enables criminals to steal up to €10m in each heist.