Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT banking system which costs millions in damages to the impacted entities.
On Aug. 13, Arbor’s Security Engineering & Response Team observed the financially-motivated hacking group actively pushing a new campaign. We believe the targeted institutions for the ongoing campaign are located in eastern Europe and Russia. The active campaigns utilize spear phishing messages to gain entry. The emails appear to come from a financial vendor or partner, increasing the likelihood of infection. The group uses tools that can bypass Window’s defenses.
ASERT recently uncovered two different malware samples which we believe connect the active campaigns to Cobalt Group. The first sample, a JavaScript backdoor, shares functionality with previous versions of a similar backdoor. The second binary, CobInt/COOLPANTS, is a reconnaissance backdoor as noted by security researchers.
