Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks
The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.
The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Arbor ASERT, which analyzed the group’s latest attack campaign.
“I think it’s more of a redundancy thing with the two vectors,” Hummel says, noting that it’s relatively unusual for attackers to have two malicious links in one phish. “We’ve seen where they have a malicious attachment and a malicious link, but not two malicious links. That was different.”
Carbanak/Cobalt/FIN7’s resilience runs deep, and its tentacles wide. In late March, Spanish police arrested the alleged leader of the organization, which is believed to have stolen more than $1.2 billion from 100-plus banks across 40 countries since it was first observed in 2013. His name was not released, but Spanish authorities reportedly said he was a Ukrainian and identified as “Denis K.”
In August, the US Department of Justice announced that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. US law enforcement officials said the cybercrime group stole payment card data from millions of customers via more than 100 US retail companies, including Saks Fifth Avenue, Chipotle Mexican Grill, Arby’s, and Red Robin.
Experts say Carbanak/Cobalt/FIN7’s ability to continue its operations despite the high-level arrests of its leaders, as well as the regular exposure by security researchers of its cyberattack campaigns, demonstrates how hard it is to fully shutter a massive cybercrime operation with global ties.
“There are a lot of people involved in this operation,” Hummel says. Arresting someone at the top is akin to a botnet “takedown,” where plenty of other members continue the operation, even without the botnet operator or, in Carbanak/Cobalt/FIN7’s case, its lead.
ASERT researchers first spotted the latest attack campaign on Aug. 13, targeting financial institutions in Eastern Europe and Russia with convincing-looking spear-phishing emails that purported to be from a financial vendor or partner of the targeted institution. ASERT identified two specific bank targets: NS Bank in Russia and Banca Comerciala Carpatica/Patria Bank in Romania.
The cybercrime group is well-known for its slick and realistic-looking spear-phishing emails that contain malicious Word documents and other attachments. The attacks found by ASERT researchers include malware that can bypass Windows AppLocker whitelisting by employing legitimate Windows processes that AppLocker does not block by default: regsvr32.exe and cmstp.exe.
Cisco Talos researchers last month found the group employing an email posing as the European Banking Federation, with a spoofed email address. In that case, the attachment was a malicious PDF file that included an URL leading to exploits for CVE-2017-11882, CVE-2017-8570, and CVE-2018-8174. “The final payload is a JScript backdoor … that allows the attacker to control the affected system remotely,” Talos said in a blog post on the campaign, as well as others that use similar tools and techniques as Carbanak/Cobalt.
The Payloads
ASERT researchers found in the latest campaign that the malicious Word file contains hidden VBA scripts, and the JPG file contains a binary file – both with malicious code calling out to two command-and-control servers known to be run by Carbanak/Cobalt/FIN7. “What they plan to do with the current campaign is unclear,” Hummel says. “But they are trying to get two backdoors installed and get into the network,” possibly to gain a foothold, he says.
Hummel says there are least five other registered domains, although his team likely only scratched the surface of the entire campaign.
The URL that loads the malicious, VBA script-rigged Word document operates if macros are enabled. The script then launches cmstp.exe with an INF file to sneak past AppLocker, and downloads a remote payload – a JavaScript backdoor – that gets executed. A DLL file posing as a text file launches the final piece of malcode using regsvr32.exe.
The JPEG contains a URL with multiple layers of obfuscation, and calls out to the C2 server for more payloads.
ASERT has alerted the victim organizations and recommends that financial institutions train users about what to click and what not to click. “Criminal actors are a lot better at crafting well-done spear phishes where the sender looks like it’s coming from someone inside the organization,” Hummel says, so users need help knowing what to do.
“Most stand-alone email clients and browsers allow corporate policy to disable scripting by default, unless it’s coming from internal sources,” he adds.
Related Content:
- 6 Reasons Security Awareness Programs Go Wrong
- Carbanak’s Back And Using Google Services For Command-and-Control
- Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
- Leader of Cybercrime APT Behind $1.2 Billion in Bank Heists Arrested
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio