In a world where cyberattacks against businesses and consumers alike are spreading and evolving in nature and sophistication, it is often financial institutions which bear the brunt.
Banking customers hoodwinked by fraudulent schemes or those that become the victims of theft through the loss of their financial credentials will often try to claim back lost funds — of which, banks appear to vary when it comes to compensation.
Some banks attempt to lay the responsibility of fraud at their customers’ feet to reduce the expense. However, it is not just customers that can become victims, but the institutions themselves.
This was followed by a financial loss of $13.5 million suffered by Cosmos Bank, one of India’s oldest financial institutions. Malware infected the bank’s ATM server in order to facilitate the theft of customer credit card information of customers, alongside SWIFT banking codes required to make transactions.
Cybercriminals able to infiltrate these systems can make a killing. Carbanak alone has managed to steal at least $1 billion from banks worldwide, and now, Cobalt is back on the scene with a new campaign against similar targets.
On Thursday, researchers from the Secureworks Counter Threat Unit (CTU) said the group is “using their extensive resources and network insights to target high-value financial organizations around the world.”
Cobalt is a sophisticated hacking group known to pursue high-value financial targets rather than immerse themselves into mass spam campaigns or individual credential thefts. Active since at least 2016, the APT specializes in targeted, network intrusion to gain access to systems which can be compromised for the purposes of theft.
The hacking group’s latest campaigns are no different.
CTU has monitored Cobalt over the course of this year and has uncovered the deployment of SpicyOmelette, a malicious tool which is used during the initial phases of an attack against a financial institution.
The malware is generally delivered via phishing emails which contain what appears to be a .PDF attachment. However, should a victim — such as a bank employee — click the file, they are redirected to an Amazon Web Services (AWS) URL controlled by Cobalt.
This page then installs SpicyOmelette, which is signed by a valid and trusted certificate authority (CA).
Once SpicyOmelette has been installed on a machine, the malware provides a crucial foothold in the target system for the operators.
The malware is able to harvest machine information such as IP address, system name, and running software application lists, install additional malware payloads and also scans for the presence of a total of 29 antivirus tools.
SpicyOmelette paves the way for privilege escalation via the theft of account credentials, the identification of systems containing lucrative financial data or transaction abilities — including payment gateways and ATM architectures — and the deployment of post-infection tools specifically designed to compromise these systems.
Cobalt has been connected to the theft of millions of dollars from financial institutions worldwide and is believed to have caused over €1bn in damages. Despite the arrest of the APT’s suspected leader this year, the group shows no sign of stopping.
“Arrests of suspected Gold Kingswood operators in March 2018 did not deter the threat group’s campaigns, likely due to its vast network of resources,” CTU says. “[We] expect Gold Kingswood’s operations and toolset to continue to evolve, and financial organizations of all sizes and geographies could be exposed to threats from this group.”
“The threat group’s detailed understanding of financial systems and history of successful campaigns make it a formidable threat,” the researchers added.