Notorious cyber crime gang behind global bank hacking spree returns with new attacks

A notorious hacking group that targets financial organisations and is thought to be the perpetrator of cyber attacks against the SWIFT banking network and ATM systems has launched a new campaign targeting employees of two banks.

The Cobalt cyber crime gang is suspected of striking banks in more than 40 countries and potentially making as much as €10 million per heist. It’s estimated the attacks have caused over €1bn in damages.

Despite the suspected leader of the group being arrested as part of a Europol operation in March this year, Cobalt remained active, with security firms detecting new campaigns just weeks after the arrest took place.

Now two more new Cobalt campaigns have been uncovered — this time targeting banks in Eastern Europe and Russia.

The new criminal activity, uncovered by Netscout Arbor, began in mid-August. The two banks being targeted by this latest campaign are NS Bank in Russia and Patria Bank in Romania.

In both cases, phishing emails appear to come from a financial vendor or partner related to the bank, a tactic that is used to trick victims into trusting the origin of the message and the sender.

“In at least one of the campaigns the attackers crafted an email that appeared to come from SEPA Europe (Single Euro Payments Area) with information about expanded coverage,” Richard Hummel, threat intelligence manager at Netscout told ZDNet.

“The recipient of the email was encouraged to click on an embedded link to find more information pertaining to the expanded coverage area.”

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

The links within the messages are malicious, directing the user to two means of delivering malware: one a weaponised Word document containing obfuscated VBA scripts, and the second a binary with a .jpg extension.

The phishing messages attempt to deliver both using the same method in what’s suspected to be an effort to increase the chance of infection.

Researchers analysed the binaries and found they contained links to command and control servers, which are believed to be owned and operated by the Cobalt hacking group. In addition, researchers note that malware used as part of the campaign bears a “striking resemblance” to Coblnt – a backdoor used in previous Cobalt campaigns.

It’s likely the attempted delivery of this malicious trojan is part of a campaign to gain a foothold in the networks of the targeted banks, with the goal of using compromised machines to gain increased access to systems inside these networks.

“Looking at past successful attacks from this group, they are very effective at capitalizing on the access they gain in order to steal money from the compromised organizations,” said Hummel.

“If the attackers are successful in their efforts to compromise these organizations, they may look to access sensitive information for clients, the banks records, and find some way to directly steal funds from the targeted organizations”.

It’s believed that this latest Cobalt campaign is still active, and researchers warn that it’s possible there are other banks being targeted in this way.