![]() ![]() A mounted VHD disk image appears to Windows just like a normal hard disk. Starting with Windows 8, a user can mount a VHD by simply double-clicking the file. Windows 7 and newer systems include the ability to manually mount VHD files, such as via the MMC console. A VHD file may contain anything found on a physical hard drive, such as disk partitions and a file system with folders and files. Microsoft started using the VHD format in Hyper-V, the hypervisor-based virtualization technology. In 2005, the format became available to the public. Microsoft acquired the product in 2003 and renamed it Microsoft Virtual PC. The VHD format was originally developed by Connectix for their Virtual PC product. It was a virtual hard disk (VHD), presumably distributed by email. In late December 2019, we detected another CobInt loader used by Cobalt. Our colleagues from Group-IB have provided a detailed analysis of the malware. In yet another case, the malicious file Login_Details.img was also distributed from the site ecb-europeaneu. The framework was placed on compromised sites, which showed visitors a corresponding pop-up window. In an article from November 2019, Zscaler described a similar scenario for spreading NetSupport RAT. We believe that Cobalt purchased it on a darkweb forum. Most likely, the user would be a victim of a phishing attack like many of those performed by Cobalt. We do not know how the user landed on this website. Alternative window specified in the script parameters Alternative window specified in the script parameters Figure 8. Here are alternative windows contained in the script:įigure 7. In addition, the script detects bots, crawlers, and spiders. The strings also show the window start time after loading the page, how many times the window will be shown to a user, type of device on which the window will be displayed, and which banner will be shown to the user. The configuration strings in the script contain links for four droppers (we could not obtain the first one) and allow creating links for Safari, Edge, and Internet Explorer. The page source code contained a link to the script that displayed the pop-up window. Visitors who fell for the ruse downloaded the dropper to their computer. The site was a copy of the European Central Bank website, except for a pop-up window that asked visitors to update the browser.įigure 4. Malware analysis proved that the droppers were distributed from the phishing website ecb-europeaneu. Once launched, the dropper saved CobInt to the %TEMP% folder and then ran CobInt and the installer. ![]() Each dropper contained the same CobInt version and a browser-specific installer. We detected three versions of the dropper: for Chrome, Firefox, and Opera. CobInt was dropped by a custom NSIS installer. We do not know whether the attack was successful. In late August 2019, we detected a CobInt attack that presumably targeted European financial institutions. Therefore, COM-DLL-Dropper leaves more artifacts on the infected machine.ġ. In addition, CobInt downloads the main library from the command and control (C2) server directly to memory, while COM-DLL-Dropper saves to disk the obfuscated more_eggs, which is then executed in memory. The more_eggs JavaScript backdoor is detected by the ETPro ruleset, including in public sandboxes, whereas CobInt traffic does not trigger security mechanisms. Number of attacks using COM-DLL-Dropper and CobInt in 2019 The following histogram shows that in late 2019 the group started favoring CobInt over COM-DLL-Dropper.įigure 2. Although we do not know whether the attacks were successful, such frequency may indicate that the criminals possess substantial financial resources allowing them to maintain their infrastructure, update malware, and adopt new techniques. In 2019, the group conducted an average of three attacks per month. Number of Cobalt attacks detected by PT ESC As a group whose activities have long been of interest to security researchers all over the world, the attackers are highly motivated to stay one step ahead.įigure 1. ![]() Over the last year, the group has not only modified its flagship tools CobInt and COM-DLL-Dropper in conjunction with the more_eggs JavaScript backdoor, but also started using new methods to deliver malware and bypass security in the initial stages of the kill chain. Over the last four years, we have released several reports on attacks linked to the group. Two years ago, for example, their attacks caused over $14 million in damage. Currently the group targets financial organizations around the world. The PT Expert Security Center (PT ESC) has been monitoring the Cobalt group since 2016. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |