• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Raddex Malware Targeting Arabic-speakers, Linked to Golden RAT
June 19, 2020
Rewterz Threat Alert – Dark Crystal RAT – IoCs
June 19, 2020

Rewterz Threat Alert – Cobalt’s Updated Tactics and Tools

June 19, 2020

Severity

High

Analysis Summary

Cobalt group is currently found targeting financial organizations around the world. It has modified its flagship tools CobInt and COM-DLL-Dropper in conjunction with the more_eggs JavaScript backdoor, but also started using new methods to deliver malware and bypass security in the initial stages of the kill chain. The more_eggs JavaScript backdoor is detected by the ETPro ruleset, including in public sandboxes, whereas CobInt traffic does not trigger security mechanisms. In addition, CobInt downloads the main library from the command and control (C2) server directly to memory, while COM-DLL-Dropper saves to disk the obfuscated more_eggs, which is then executed in memory. Therefore, COM-DLL-Dropper leaves more artifacts on the infected machine.

Impact

  • Security bypass
  • Financial loss

Indicators of Compromise

Domain Name

  • timeswindows[.]com
  • telekom-support[.]info
  • ecb-european[.]eu

Hostname

  • origin[.]cdn77[.]kz
  • download[.]sabaloo[.]com
  • maps[.]doaglas[.]com

MD5

  • 6ec0edd1889897ff9b4673600f40f92f
  • 36399ebf94f66529dc72d8b2844f43dd
  • 862c19b2b4b6a7c97fb8627303b8f5d7
  • f2712de0c8575ff32828c83cfbf75d4b
  • 152cd7014811ae8980981a825e5843b0
  • 600154fcb03e775f007ef7b1547b169c
  • 47e7212b097b5cffa60903055e3c4d5a
  • a3391d1d3482553545d7c0111984abb6

SHA-256

  • 9e8a99ad401ef5d2bb3aea3a463d85220f0e6724f91a3c2ffd195d0b8628bf9d
  • 64d16900fce924da101744edce28b9ee648192486d9062c427c17589b5f204fb
  • 3382a75bd959d2194c4b1a8885df93e8770f4ebaeaff441a5180ceadf1656cd9
  • 33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0
  • 0c85c1045899291cba47c7171599446642b87015a76d5b22f8cc51f4a6e45a90
  • c1a633a940fc4c595ebbe36823fee1b02bfd755615c51799c9f4e4320b597af1
  • b83d2c4f5c2bb562981a104d4e49cf25291096d37a4161c32a76e369d1a931e8
  • 7122cf59f8a59f9a44f20fd4c83451c5c4313e0021d3f1ba9c2b1a4f39801db1
  • 2d02bbae38f4dba5485fbc2e38640898907ecdd6b9ee43501d1ee951653ab36f
  • 0aee265a022ee84e9c8b653e960559c9761a7362e1c345019a552188114b7e80

SHA1

  • 8ada87f00ed3afdd4dbdb07879ba6ebe4a2a9ffa
  • e288b0410fb95060ce8c5527673978cb2ceffe05
  • e80ef396462fe651c3cdeb91651ac27799d2dab5
  • 384a13abe42d249e354cd415c4bcbf01086deafb
  • 90f7d0b0f90aeadaeff1adf45db5dcc598dec8c4
  • 4d50f1cae2acc8c92ff1f678fc1fdfdd1e770f24
  • b912f222e79feadbcefe2d6ead5fab74b15b1f40
  • dfcd5692729e859f074b95720505f711ba7d14ac
  • 1a371353c6a46ddea19d520d8ce3b5599a8ee9f1
  • d3fc5f848d630ca2dc8e99b0d4dfe704b8ec1832

Source IP

  • 45[.]80[.]69[.]34

Remediation

Block the threat indicators at their respective controls.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.