Over the past year, Morphisec and several other endpoint protection companies have been tracking a resurgence in activity from the Cobalt Group. Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. The most recent attacks can be grouped into two types of campaigns. Many of the campaigns are based on the known and prevalent ThreadKit exploit kit generation framework. Other campaigns are more sophisticated, borrowing only some functionality from ThreadKit while incorporating additional advanced techniques from other sources.
Morphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in March of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater.
Stage 1 - Word Macro + Whitelisting Bypass
As with many other campaigns, the victim received a document with malicious macro visual basic code.
Although the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting from the Frame1_Layout function – this method is used much less frequently than the obvious Document_Open or the AutoOpen.
The list of additional possible execution triggers is defined here: https://www.greyhathacker.net/?p=948
The macro is executing the legitimate Windows process cmstp.exe (connection manager Profile Installer). This technique was previously used by the MuddyWater group when attacking Middle East targets. The use of cmstp.exe whitelisting bypass was researched by Oddvar Moe, where he showed how, by manipulating the inf file, cmstp can execute scriptlets or executables.
Stage 3 - PureBasic Legitimate Executable Mixed with Additional Malicious Functions
The dropped DLL is actually a PureBasic compiled code and a legitimate application. The application is not signed (as many other PureBasic applications) and therefore easily manipulated to execute inserted malicious code. In this case, the exported function DllRegisterServer wasn’t part of the legitimate application and is perfect for application flow redirection when executed by regsvr32.exe. Because PureBasic is a full programming language that compiles to assembly and has endless possibilities and APIs to manipulate the memory, it also complicates the generation of patterns by security vendors that base their detection on static or dynamic pattern signatures. Although some security solutions will block all PureBasic programs (wrong move – there are plenty of legitimate PureBasic programs in use today), it’s a smart move made by the attacker group.
To function properly, the malicious injected code needs to reflectively load and map to existing core functions. The same code also applies anti-disassembly and anti-debugging techniques. It gets the following functions from Kernel32 and Advapi32:
The code then uses the identified functions to add persistency through registry and add next stages file names identifier through the following locations:
Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks.
Here, the scriptlet is automatically obfuscated in a way similar to the first scriptlet:
- "d&exec" – Download an executable or a dll (if it’s a dll, use regsvr32 to execute it)
- "more_eggs" – Downloads and replace the existing backdoor script with new script
- "gtfo" – Clean traces, remove persistency and stage 4,5 files
- "more_onion" – Execute the Backdoor script
- "via_x" – execute cmd / shell commands locally
As with every communication with the C2, the script collects and sends information about the target environment including the stack of security solutions installed on the computer and are part of the following list:
As organizations improve their defenses, attackers find new ways to get around them. Threat groups such as Cobalt are increasingly incorporating delivery techniques that allow them to easily bypass whitelisting and AppLocker policies, and we see more and more attacks using legitimate processes to carry out their malicious intent.
Although some of the decrypted artifacts have been seen in the wild since the beginning of the year (or earlier), the attack is still very effective as many security solutions do not detect the artifacts once they are obfuscated and encrypted. The need for a different approach to security is greater than ever. Moving Target Defense, as defined by the DHS and implemented by Morphisec, breaks the assumptions made by the attackers. Morphisec Endpoint Threat Prevention natively prevents the attack before it can perform any type of malicious activity, no updates needed.
Organizations should expect to see much more coming from all Cobalt Group factions during the next year. Contact one of our security experts to learn how Morphisec protects your business from this and future Cobalt attacks.