Rewterz Threat Alert – Cobalt Group Activity Discovered

Monday, March 4, 2019

Severity

High

Analysis Summary

Cobalt group has resurfaced again with it’s activities targeting specific customers and using phishing emails to drop malicious url’s.

  • CobInt Downloader (EXE) -> Polymorphic Encrypted Data (DLL – CobInt Malware) -> Final Payload

Indicators of Compromise

IP(s) / Hostname(s)

  • 193.33.61[.]170
  • 144.202.59[.]44
  • 192.42.119[.]41
  • 45.72.3[.]177

URLs

  • hxxps://dskbank[.]nl/order/doc/complaint.doc
  • hxxps://dskbank[.]nl/invoice/notepad.exe
  • hxxps://ciscoupdt[.]com/woiexjaavl
  • hxxps://ciscoupdt[.]com/hcylzkwytfacztxxmcrnwumhulpqooo
  • hxxps://ciscoupdt[.]com/zlxksulywulzawzzrzatzgzxuezeirdujimfphpybszce
  • hxxps://ciscoupdt[.]com/ljzuzezpzjfmgztyxojvvudqrtushogmzpjvqma
  • hxxps://ciscoupdt[.]com/tosvqmknrrzsbznzaltbheyrnwjsfmvdlgizim
  • hxxps://ciscoupdt[.]com/zkczmyabbyeezldjzoulwzdzbgzdfrzjwcnozn
  • dskbank[.]nl
  • ciscoupdt[.]com
  • hxxps://boutrost[.]com/woiexjaavl
  • boutrost[.]com

Email Address

  • eva.olofsson[@]dskbank[.]uk
  • jan.larsson[@]dskbank[.]uk
  • christoph.danz[@]dskbank[.]uk
  • info[@]dskbank[.]uk

Malware Hash (MD5/SHA1/SH256)

  • 6fa3bc5e5786b0d828d444b515b5f5a3
  • 88f93a412cb88ff8d4b8def191b7d530999b963d
  • 50cf1e09ed9cf7c6bc92ff738773c0b40c0f90ac547852964ddb486cd307da09
  • 898f5d084e91c0c78dd384e4028ea264
  • d40586fb75d8967c697d29e55ef46ff9e56d4d72
  • 1574be5da3937920a40ba5d3103e7e3c2ca52b07261cecb802348e01ade89274
  • 5ae9fa1af92f323cffc06577e7ba8198
  • f6382a2ede229feebd998579d23a25a9cc37e8a7
  • 2bb99909be2dac06e8182f50357f505d6a30c3457c85385676369cabf124cf24
  • 7eb9902f5f1effd23d1ddd9482a197f3
  • 97a0762239cd5db3b4a8bd9d2c3a48a15aa66839
  • 303c7f18ba2b47d19dc9f1375a2b2d6beb4ccbeda8afdbf0cc809fda249989c1

Remediation

  • Block threat indicators at respective controls.
  • Always be suspicious about the emails being sent from unknown senders.
  • Never click on the attachments or links sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 6, March 2019 Rewterz Threat Alert – Threat Indicators – Ursnif/Gozi Malspam
  • 6, March 2019 Rewterz Threat Alert – Threat Actors Targeting Banks Using Tools to Bypass Cyber Security Controls
  • 5, March 2019 Rewterz Threat Alert “Beyond The Grave” Virus – Threat Indicators
  • 5, March 2019 Rewterz Threat Alert – Redaman/RTM Banking Trojan Campaigns

Copyright © Rewterz. All rights reserved.