Financial organizations are being targeted by a notorious hacking group, accused of carrying out various cyber attacks against SWIFT banking network and ATM systems have now started targeting employees of two banks.
The Cobalt cyber gang has been active in more than 40 countries and has potentially made around €10 million robbing each bank. Estimates suggest they have managed to make over €1bn looting these banks.
Though the gang leader is behind bars, thanks to the Europol operation in March this year. The security firms have detected that the Cobalt gang is still active, as fresh reports of new campaigns show up, just weeks after the arrest took place.
Recently two more Cobalt campaigns were discovered, which targeted banks in Eastern Europe and Russia.
Netscout Arbor revealed the latest criminal activity which began in mid-August. The latest campaign targets two of the banks namely NS Bank in Russia and Patria Bank in Romania.
The modus operandi is both cases was to send phishing emails, which appear to come from financial vendor or partner related to the bank. This makes the victim trust the origin of the message and the sender.
The malicious links in the mail, direct the user to deliver the malware in two ways. Either a weaponized Word document that contains obfuscated VBA scripts or a binary with a .jpg extension. To increase the chance of infection, the phishing messages try to deliver both using the same method
Researchers found the binaries contained links to command and controls server. These are believed to be owned and operated by the Cobalt hacking group. Apart from this researchers also mentioned that the malware used as part of the campaign bears a “striking resemblance” to Cobalt, this was used as a backdoor in previous Cobalt campaigns.
Richard Hummel, threat intelligence manager at Netscout speaking to internet media said – “Looking at past successful attacks from this group, they are very effective at capitalizing on the access they gain in order to steal money from the compromised organizations.”
He further said – “If the attackers are successful in their efforts to compromise these organizations, they may look to access sensitive information for clients, the bank’s records, and find some way to directly steal funds from the targeted organizations”.
Researchers warn of the possibility of the Cobalt campaign still being active and warn that it’s possible that other banks are being targeted in this way.