Skip to content

G0080 Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.1234567 Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.8

Item Value
ID G0080
Associated Names GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
Version 2.0
Created 17 October 2018
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD KINGSWOOD 9
Cobalt Gang 1 1011
Cobalt Spider 10

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Cobalt Group has bypassed UAC.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Cobalt Group has used HTTPS for C2.134
enterprise T1071.004 DNS Cobalt Group has used DNS tunneling for C2.134
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.4
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.001 Logon Script (Windows) Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.11
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Cobalt Group has used powershell.exe to download and execute scripts.1234713
enterprise T1059.003 Windows Command Shell Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.11 The group has used an exploit toolkit known as Threadkit that launches .bat files.124111213
enterprise T1059.005 Visual Basic Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.124111213
enterprise T1059.007 JavaScript Cobalt Group has executed JavaScript scriptlets on the victim’s machine.124111213
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Cobalt Group has created new services to establish persistence.4
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Cobalt Group has used the Plink utility to create SSH tunnels.4
enterprise T1203 Exploitation for Client Execution Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.1235671013
enterprise T1068 Exploitation for Privilege Escalation Cobalt Group has used exploits to increase their levels of rights and privileges.4
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.1
enterprise T1105 Ingress Tool Transfer Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.23 The group’s JavaScript backdoor is also capable of downloading files.11
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Cobalt Group has sent malicious Word OLE compound documents to victims.1
enterprise T1046 Network Service Discovery Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.234
enterprise T1027 Obfuscated Files or Information Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.111
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.1234561213
enterprise T1566.002 Spearphishing Link Cobalt Group has sent emails with URLs pointing to malicious documents.19
enterprise T1055 Process Injection Cobalt Group has injected code into trusted processes.4
enterprise T1572 Protocol Tunneling Cobalt Group has used the Plink utility to create SSH tunnels.134
enterprise T1219 Remote Access Software Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.234
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Cobalt Group has created Windows tasks to establish persistence.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim’s machine.11
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. 14
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.003 CMSTP Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.11112
enterprise T1218.008 Odbcconf Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.13
enterprise T1218.010 Regsvr32 Cobalt Group has used regsvr32.exe to execute scripts.11113
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.1129
enterprise T1204.002 Malicious File Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.112
enterprise T1220 XSL Script Processing Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.1

Software

ID Name References Techniques
S0154 Cobalt Strike 1245 671013 Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0284 More_eggs - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal on Host Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Regsvr32:System Binary Proxy Execution System Information Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Owner/User Discovery
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0195 SDelete - Data Destruction File Deletion:Indicator Removal on Host
S0646 SpicyOmelette - JavaScript:Command and Scripting Interpreter Data from Local System Ingress Tool Transfer Spearphishing Link:Phishing Remote System Discovery Software Discovery Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery Malicious Link:User Execution

References


  1. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  2. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  3. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. 

  4. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  5. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018. 

  6. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018. 

  7. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. 

  8. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. 

  9. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  10. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. 

  11. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  12. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. 

  13. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  14. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

Back to top