Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks


Latest campaign by the hard-to-kill cybercrime group hides malicious code behind legitimate files, Windows processes.



The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.
The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Netscout ASERT, which analyzed the groups latest attack campaign.
I think its more of a redundancy thing with the two vectors, Hummel says, noting that its relatively unusual for attackers to have two malicious links in one phish. Weve seen where they have a malicious attachment and a malicious link, but not two malicious links. That was different.
Carbanak/Cobalt/FIN7s resilience runs deep, and its tentacles wide. In late March, Spanish police
arrested the alleged leader
of the organization, which is believed to have stolen more than $1.2 billion from 100-plus banks across 40 countries since it was first observed in 2013. His name was not released, but Spanish authorities reportedly said he was a Ukrainian and identified as Denis K.
In August, the US Department of Justice
announced
that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. US law enforcement officials said the cybercrime group stole payment card data from millions of customers via more than 100 US retail companies, including Saks Fifth Avenue, Chipotle Mexican Grill, Arbys, and Red Robin.
Experts say the groups ability to continue its operations despite the high-level arrests of its leaders, as well as the regular exposure by security researchers of its cyberattack campaigns, demonstrates how hard it is to fully shutter a massive cybercrime operation with global ties.
There are a lot of people involved in this operation, Hummel says. Arresting someone at the top is akin to a botnet takedown, where plenty of other members continue the operation, even without the botnet operator or, in Carbanak/Cobalt/FIN7s case, its lead.
But FireEye, which came up with the FIN7 name, considers FIN7 and Cobalt Group (also known as TEMP.MetaStrike) as separate entities that sometimes use the same attack tools.
One point of common confusion has been both FIN7 and TEMP.MetaStrike’s connections to Carbanak, says Kimberly Goody, manager of financial crime analysis at FireEye. FireEye has previously
reported publicly
that we track multiple distinct clusters of activity dating back to 2013 that have used this malware. Based on these observations, we believe the most likely scenario is that this malware is used by a small number of groups, who may be sharing techniques and tools for their different operations. 
ASERT researchers first spotted the latest attack campaign on Aug. 13, targeting financial institutions in Eastern Europe and Russia with convincing-looking spear-phishing emails that purported to be from a financial vendor or partner of the targeted institution. ASERT identified two specific bank targets: NS Bank in Russia and Banca Comerciala Carpatica/Patria Bank in Romania.
The cybercrime group is well-known for its slick and realistic-looking spear-phishing emails that contain malicious Word documents and other attachments. The attacks found by ASERT researchers include malware that can bypass Windows AppLocker whitelisting by employing legitimate Windows processes that AppLocker does not block by default: regsvr32.exe and cmstp.exe. 
Cisco Talos researchers last month found the group employing an email posing as the European Banking Federation, with a spoofed email address. In that case, the attachment was a malicious PDF file that included an URL leading to exploits for 
CVE-2017-11882

CVE-2017-8570
, and 
CVE-2018-8174
. The final payload is a JScript backdoor ... that allows the attacker to control the affected system remotely, Talos said in a
blog post on the campaign
, as well as others that use similar tools and techniques as Carbanak/Cobalt.
The Payloads
ASERT researchers
found in the latest campaign
that the malicious Word file contains hidden VBA scripts, and the JPG file contains a binary file – both with malicious code calling out to two command-and-control servers known to be run by Carbanak/Cobalt/FIN7. What they plan to do with the current campaign is unclear, Hummel says. But they are trying to get two backdoors installed and get into the network, possibly to gain a foothold, he says.
Hummel says there are least five other registered domains, although his team likely only scratched the surface of the entire campaign.
The URL that loads the malicious, VBA script-rigged Word document operates if macros are enabled. The script then launches cmstp.exe with an INF file to sneak past AppLocker, and downloads a remote payload – a JavaScript backdoor – that gets executed. A DLL file posing as a text file launches the final piece of malcode using regsvr32.exe.
The JPEG contains a URL with multiple layers of obfuscation, and calls out to the C2 server for more payloads.
ASERT has alerted the victim organizations and recommends that financial institutions train users about what to click and what not to click. Criminal actors are a lot better at crafting well-done spear phishes where the sender looks like its coming from someone inside the organization, Hummel says, so users need help knowing what to do.
Most stand-alone email clients and browsers allow corporate policy to disable scripting by default, unless its coming from internal sources, he adds.
Related Content:
6 Reasons Security Awareness Programs Go Wrong
Carbanaks Back And Using Google Services For Command-and-Control
Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
Leader of Cybercrime APT Behind $1.2 Billion in Bank Heists Arrested
 
 
Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks