Rewterz Threat Alert – Cobalt’s Updated Tactics and Tools

Severity

High

Analysis Summary

Cobalt group is currently found targeting financial organizations around the world. It has modified its flagship tools CobInt and COM-DLL-Dropper in conjunction with the more_eggs JavaScript backdoor, but also started using new methods to deliver malware and bypass security in the initial stages of the kill chain. The more_eggs JavaScript backdoor is detected by the ETPro ruleset, including in public sandboxes, whereas CobInt traffic does not trigger security mechanisms. In addition, CobInt downloads the main library from the command and control (C2) server directly to memory, while COM-DLL-Dropper saves to disk the obfuscated more_eggs, which is then executed in memory. Therefore, COM-DLL-Dropper leaves more artifacts on the infected machine.

Impact

• Security bypass
• Financial loss

Indicators of Compromise

Domain Name

• timeswindows[.]com
• telekom-support[.]info
• ecb-european[.]eu

Hostname

• origin[.]cdn77[.]kz
• download[.]sabaloo[.]com
• maps[.]doaglas[.]com

MD5

• 6ec0edd1889897ff9b4673600f40f92f
• 36399ebf94f66529dc72d8b2844f43dd
• 862c19b2b4b6a7c97fb8627303b8f5d7
• f2712de0c8575ff32828c83cfbf75d4b
• 152cd7014811ae8980981a825e5843b0
• 600154fcb03e775f007ef7b1547b169c
• 47e7212b097b5cffa60903055e3c4d5a
• a3391d1d3482553545d7c0111984abb6

SHA-256

• 9e8a99ad401ef5d2bb3aea3a463d85220f0e6724f91a3c2ffd195d0b8628bf9d
• 64d16900fce924da101744edce28b9ee648192486d9062c427c17589b5f204fb
• 3382a75bd959d2194c4b1a8885df93e8770f4ebaeaff441a5180ceadf1656cd9
• 33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0
• 0c85c1045899291cba47c7171599446642b87015a76d5b22f8cc51f4a6e45a90
• c1a633a940fc4c595ebbe36823fee1b02bfd755615c51799c9f4e4320b597af1
• b83d2c4f5c2bb562981a104d4e49cf25291096d37a4161c32a76e369d1a931e8
• 7122cf59f8a59f9a44f20fd4c83451c5c4313e0021d3f1ba9c2b1a4f39801db1
• 2d02bbae38f4dba5485fbc2e38640898907ecdd6b9ee43501d1ee951653ab36f
• 0aee265a022ee84e9c8b653e960559c9761a7362e1c345019a552188114b7e80

SHA1

• 8ada87f00ed3afdd4dbdb07879ba6ebe4a2a9ffa
• e288b0410fb95060ce8c5527673978cb2ceffe05
• e80ef396462fe651c3cdeb91651ac27799d2dab5
• 384a13abe42d249e354cd415c4bcbf01086deafb
• 90f7d0b0f90aeadaeff1adf45db5dcc598dec8c4
• 4d50f1cae2acc8c92ff1f678fc1fdfdd1e770f24
• b912f222e79feadbcefe2d6ead5fab74b15b1f40
• dfcd5692729e859f074b95720505f711ba7d14ac
• 1a371353c6a46ddea19d520d8ce3b5599a8ee9f1
• d3fc5f848d630ca2dc8e99b0d4dfe704b8ec1832

Source IP

• 45[.]80[.]69[.]34

Remediation

Block the threat indicators at their respective controls.