lolloj - Fotolia
Researchers at security firm Netscout have discovered a financially motivated cyber attack campaign that could be linked to the Cobalt Group, which is believed to be responsible for cyber heists costing millions.
Similarities in phishing emails used in the new ongoing campaign targeting financial institutions in Eastern Europe and Russia led researchers to suspect a link to the Cobalt group, which has targeted mainly financial organisations in the past, often by using automatic teller machine (ATM) malware.
The latest campaign, discovered on 13 August, is using spear phishing attacks to steal legitimate credentials to bypass security defences and gain entry to banking IT systems. The emails appear to come from a financial supplier or partner, increasing the likelihood of infection.
One phishing email analysed by the researchers contained two malicious links. One is a weaponised Word document that contains obfuscated VBA [Visual Basic for Applications] scripts, and the other is a binary (executable file) with a .jpg image file extension.
Making use of separate infection points in one email with two separate command and control servers is unusual and could be aimed at increasing the likelihood of success, the researchers said.
The binaries analysed contained two unique command and control servers, which Netscout researchers believe are owned and operated by the Cobalt hacking group.
They think the cyber attack group will continue targeting financial organisations in Eastern Europe and Russia based on the attack methods in this campaign.
Banking and other financial institutions are advised to ensure that employees are trained to spot phishing emails.
Read more about phishing
- Majority of European firms unprepared for phishing attacks.
- More than one million new phishing sites created each month.
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
These and other organisations should also ensure they have the capability to inspect emails closely to identify fake domains that might contain malicious attachments or links.
The wider criminal operation uses both Cabanak and Cobalt malware and is linked to the theft of up to $1bn from financial institutions in more than 40 countries.
According to Europol, the Cobalt malware enables criminals to steal up to €10m in each heist.