Group description: Cobalt Group

attack.mitre.org · MITRE ATT&CK · 20 hours ago · news
quality 2/10 · low quality
0 net
Tags
cybersecurity mitre
Entities
CVE-2017-0199 CVE-2017-11882 CVE-2017-8570 CVE-2017-8759 CVE-2018-8174
Cobalt Group, GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider, Group G0080 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Cobalt Group Cobalt Group Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. [1] [2] [3] [4] [5] [6] [7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak . [8] ID: G0080 ⓘ Associated Groups : GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider Version : 2.1 Created: 17 October 2018 Last Modified: 16 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description GOLD KINGSWOOD [9] Cobalt Gang [1] [10] [11] Cobalt Spider [10] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1548 .002 Abuse Elevation Control Mechanism : Bypass User Account Control Cobalt Group has bypassed UAC. [4] Enterprise T1071 .001 Application Layer Protocol : Web Protocols Cobalt Group has used HTTPS for C2. [1] [3] [4] .004 Application Layer Protocol : DNS Cobalt Group has used DNS tunneling for C2. [1] [3] [4] Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike. [4] Enterprise T1037 .001 Boot or Logon Initialization Scripts : Logon Script (Windows) Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript . [11] Enterprise T1059 .001 Command and Scripting Interpreter : PowerShell Cobalt Group has used powershell.exe to download and execute scripts. [1] [2] [3] [4] [7] [12] .003 Command and Scripting Interpreter : Windows Command Shell Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. [11] The group has used an exploit toolkit known as Threadkit that launches .bat files. [1] [2] [4] [11] [13] [12] .005 Command and Scripting Interpreter : Visual Basic Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution. [1] [2] [4] [11] [13] [12] .007 Command and Scripting Interpreter : JavaScript Cobalt Group has executed JavaScript scriptlets on the victim's machine. [1] [2] [4] [11] [13] [12] Enterprise T1543 .003 Create or Modify System Process : Windows Service Cobalt Group has created new services to establish persistence. [4] Enterprise T1573 .002 Encrypted Channel : Asymmetric Cryptography Cobalt Group has used the Plink utility to create SSH tunnels. [4] Enterprise T1203 Exploitation for Client Execution Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759. [1] [2] [3] [5] [6] [7] [10] [12] Enterprise T1068 Exploitation for Privilege Escalation Cobalt Group has used exploits to increase their levels of rights and privileges. [4] Enterprise T1070 .004 Indicator Removal : File Deletion Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks. [1] Enterprise T1105 Ingress Tool Transfer Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. [2] [3] The group's JavaScript backdoor is also capable of downloading files. [11] Enterprise T1559 .002 Inter-Process Communication : Dynamic Data Exchange Cobalt Group has sent malicious Word OLE compound documents to victims. [1] Enterprise T1046 Network Service Discovery Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning. [2] [3] [4] Enterprise T1027 .010 Obfuscated Files or Information : Command Obfuscation Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4. [1] [11] Enterprise T1588 .002 Obtain Capabilities : Tool Cobalt Group has obtained and used a variety of tools including Mimikatz , PsExec , Cobalt Strike , and SDelete . [3] Enterprise T1566 .001 Phishing : Spearphishing Attachment Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables. [1] [2] [3] [4] [5] [6] [13] [12] .002 Phishing : Spearphishing Link Cobalt Group has sent emails with URLs pointing to malicious documents. [1] [9] Enterprise T1055 Process Injection Cobalt Group has injected code into trusted processes. [4] Enterprise T1572 Protocol Tunneling Cobalt Group has used the Plink utility to create SSH tunnels. [1] [3] [4] Enterprise T1219 Remote Access Tools Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost. [2] [3] [4] Enterprise T1021 .001 Remote Services : Remote Desktop Protocol Cobalt Group has used Remote Desktop Protocol to conduct lateral movement. [4] Enterprise T1053 .005 Scheduled Task/Job : Scheduled Task Cobalt Group has created Windows tasks to establish persistence. [4] Enterprise T1518 .001 Software Discovery : Security Software Discovery Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine. [11] Enterprise T1195 .002 Supply Chain Compromise : Compromise Software Supply Chain Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. [14] Enterprise T1218 .003 System Binary Proxy Execution : CMSTP Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script. [1] [11] [13] .008 System Binary Proxy Execution : Odbcconf Cobalt Group has used odbcconf to proxy the execution of malicious DLL files. [12] .010 System Binary Proxy Execution : Regsvr32 Cobalt Group has used regsvr32.exe to execute scripts. [1] [11] [12] Enterprise T1204 .001 User Execution : Malicious Link Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine. [1] [13] [9] .002 User Execution : Malicious File Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine. [1] [13] Enterprise T1220 XSL Script Processing Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file. [1] Software ID Name References Techniques S0154 Cobalt Strike [1] [2] [4] [5] [6] [7] [10] [12] Abuse Elevation Control Mechanism : Sudo and Sudo Caching , Abuse Elevation Control Mechanism : Bypass User Account Control , Access Token Manipulation : Parent PID Spoofing , Access Token Manipulation : Token Impersonation/Theft , Access Token Manipulation : Make and Impersonate Token , Account Discovery : Domain Account , Application Layer Protocol : DNS , Application Layer Protocol : Web Protocols , Application Layer Protocol : File Transfer Protocols , BITS Jobs , Browser Session Hijacking , Command and Scripting Interpreter : JavaScript , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Python , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data from Local System , Data Obfuscation : Protocol or Service Impersonation , Data Transfer Size Limits , Deobfuscate/Decode Files or Information , Encrypted Channel : Asymmetric Cryptography , Encrypted Channel : Symmetric Cryptography , Exploitation for Client Execution , Exploitation for Privilege Escalation , File and Directory Discovery , Hide Artifacts : Process Argument Spoofing , Impair Defenses : Disable or Modify Tools , Indicator Removal : Timestomp , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Native API , Network Service Discovery , Network Share Discovery , Non-Application Layer Protocol , Obfuscated Files or Information : Indicator Removal from Tools , Obfuscated Files or Information , Office Application Startup : Office Template Macros , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Security Account Manager , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Process Discovery , Process Injection : Dynamic-link Library Injection , Process Injection : Process Hollowing , Process Injection , Protocol Tunneling , Proxy : Domain Fronting , Proxy : Internal Proxy , Query Registry , Reflective Code Loading , Remote Services : Remote Desktop Protocol , Remote Services : SSH , Remote Services : Windows Remote Management , Remote Services : SMB/Windows Admin Shares , Remote Services : Distributed Component Object Model , Remote System Discovery , Scheduled Transfer , Screen Capture , Software Discovery , Subvert Trust Controls : Code Signing , System Binary Proxy Execution : Rundll32 , System Network Configuration Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , Use Alternate Authentication Material : Pass the Hash , Valid Accounts : Domain Accounts , Valid Accounts : Local Accounts , Windows Management Instrumentation S0002 Mimikatz [2] [3] [4] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0284 More_eggs [1] [14] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Data Encoding : Standard Encoding , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Indicator Removal : File Deletion , Ingress Tool Transfer , Obfuscated Files or Information : Encrypted/Encoded File , Software Discovery : Security Software Discovery , Subvert Trust Controls : Code Signing , System Binary Proxy Execution : Regsvr32 , System Information Discovery , System Network Configuration Discovery : Internet Connection Discovery , System Network Configuration Discovery , System Owner/User Discovery S0029 PsExec [2] [4] Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution S0195 SDelete [3] Data Destruction , Indicator Removal : File Deletion S0646 SpicyOmelette [9] Command and Scripting Interpreter : JavaScript , Data from Local System , Ingress Tool Transfer , Phishing : Spearphishing Link , Remote System Discovery , Software Discovery , Software Discovery : Security Software Discovery , Subvert Trust Controls : Code Signing , System Information Discovery , System Network Configuration Discovery , User Execution : Malicious Link References Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. × load more results
← Back to stories