Cobalt Gang targets banks and financial service providers by sneaking PDFs past staff
Security analysts use new techniques to expose attackers' commodity builders and tools and their infrastructures.
A gang of hackers targeting financial institutions are trying to avoid detection by slipping PDFs files in emails, but getting bank staff to click on malware links.
According to researchers at Palo Alto, the hackers who are part of the Cobalt gang have sent PDFs to employees. These files do not contain and exploits, but what happens instead is a social engineering attack where the criminals fool victims into clicking on a link within the PDF to download malicious macros.
The Colbalt gang has been active despite the arrest of its leader earlier this year. In August, the group targeted two banks in Romania and Russia.
In a blog post, researchers said the technique, in order to be effective against static analysis tools, has a specially crafted PDF to make it look more authentic.
"It contains empty pages as well as some text pages that help in not raising red flags during analysis," said researchers. "By employing these two techniques the PDF avoids almost all traditional AV detection, resulting in a very effective transport of the first stage of the attack via email."
As the attack progresses, the victim is taken to a download of an MS Word document containing malicious macros that has very low detection rate at the moment of this campaign delivery. The researchers said that from a metadata standpoint, the document does not include any specific signal or characteristic that would help in tracking documents from the same author.
The downloaded malicious macro uses cmstp.exe to run a scriptlet, a technique known to bypass AppLocker, and continues with the next steps in payload delivery. The goal of recent research activities was not payload analysis. Instead, researchers focused on all possible aspects of the attack to further track the campaign and its associated infrastructure.
The researchers said that as the attack has achieved low detection rates, the focus of the investigation into the Colbalt group has been the identification of a possible underlying macro builder. While a builder was identified, investigators couldn’t guarantee that this builder is only used by this specific Cobalt Gang group and its campaigns against those industries.
"However, using this in combination with other aspects such as the target, payload, or dropper characteristics, becomes very useful in tracking this group’s campaigns," said researchers.
With the builder identified as well as fining common signals in the PDFs used in the attack, researchers were then able to find the gang’s infrastructure pieces based on multiple aspects, such as the hunting rules defined in previous sections, session data obtained by the investigator’s telemetry, or public WHOIS registrar data.
Researchers said that commodity attacks are widely used for both criminal and more targeted attacks, making identification difficult for networks defenders and threat hunters.
"By focusing on specific aspects of the macro builders and metadata the actors left behind we were able to develop new mechanisms to track and hunt Cobalt Gang activity and infrastructure," said researchers.
Source scmagazine
Industry: Cyber Security News
Latest Jobs
-
- VOIP / SIP App Developer. Contract. SIP | VOIP experience needed. SC Cleared Outside IR35 Contract. London
- London
- OUTSIDE IR35
-
SIP | VOIP Developer. SC Cleared Contract. London Looking for a SC Cleared SIP / VOIP Developer to develop an application that interacts with a set of voice and video signalling API’s You will also work on developing in-house applications, browser plugins and automated tooling to support secure communication systems. Responsibilities Develop an application that will manage number mapping and associated identities using commercial SBC API’s. Develop new user-facing features using React.js or other modern JavaScript frameworks. Build reusable components and front-end libraries for future use. Collaborate with the design team to translate UI/UX design wireframes into code. Work closely with backend developers to integrate front-end code with server-side logic. Conduct code reviews and provide constructive feedback to team members. Stay up-to-date on emerging technologies and industry trends to continuously improve our front-end development practices. Troubleshoot and debug issues that arise during development and in production environments. Maintain high coding standards and practices and ensure code is well-documented. Requirement Experience of developing specialist applications using REST API’s. Good knowledge of Go, Java and Python (open to alternative combinations of languages). Proficiency in front-end languages and frameworks such as HTML, CSS, JavaScript, React.js, etc. Strong understanding of web standards, responsive design, and cross-browser compatibility. Experience with version control systems such as Git. Knowledge of RESTful APIs and asynchronous request handling. Familiarity with UI/UX design principles and tools.
-
- Senior Data Privacy Consultant. Client Facing | London
- London
- N/A
-
Senior Data Privacy Consultant. Client Facing | London Senior Data Privacy Consultant needed for a key client facing opportunity. Must be willing to undergo SC Security Clearance. Hybrid role- onsite with customer / office 2-3 days a week. London Key Responsibilities: Lead and support client facing data privacy projects. Assess compliance, define and deliver strategic projects / implement privacy solutions. Manage project teams and develop business opportunities. Required Experience: Experience in data protection and privacy standards. Background in consulting. Skills and Qualifications: Business consulting experience IAPP Privacy Manager / Privacy Technologist Location Greater London UK based role. Not able to provide VISA sponsorship.
-
- Security Analyst - Internal role. London commutable. Permanent
- London
- N/A
-
Security Analyst - Internal role. London commutable opportunity. Operational Security - Investigate, escalate and proactively work to ensure household name remains protected. Project Security - Coordinate, log change requests with project delivery teams to meet security requirements Policy / compliance - work with team to aid in uplifting these as and where needed This role is role to investigate, escalate and proactively work to protect a globally recognised brand. You must have current hands on operational analytical security experience with Microsoft technology stack Someone with a SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.
-
- Network / Security Infrastructure Engineer | West London | Permanent
- London
- N/A
-
Network / Security Infrastructure Engineer | West London | Current Config, Install, upgrade experience On prem / Datacetner experience essential. Hands on experience MUST include: Routing, Switching, Network Security (firewall, IDS etc), Microsoft exchange / Exchange 365. Scripting / automation experience wanted. Python, Powershell etc Regular travel to West London is required. Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1