Cobalt threat group serves up SpicyOmelette in fresh bank attacks

Haythem Elmir

Advanced persistent threat group (APT) the Cobalt Gang, also known as Gold Kingswood, is spreading SpicyOmelette malware in campaigns targeting financial institutions worldwide.

In a world where cyberattacks against businesses and consumers alike are spreading and evolving in nature and sophistication, it is often financial institutions which bear the brunt.

Banking customers hoodwinked by fraudulent schemes or those that become the victims of theft through the loss of their financial credentials will often try to claim back lost funds — of which, banks appear to vary when it comes to compensation.

Some banks attempt to lay the responsibility of fraud at their customers’ feet to reduce the expense. However, it is not just customers that can become victims, but the institutions themselves.


A bold bank heist in 2017 was attributed to Lazarus, which managed to fool employees into transferring $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.

This was followed by a financial loss of $13.5 million suffered by Cosmos Bank, one of India’s oldest financial institutions. Malware infected the bank’s ATM server in order to facilitate the theft of customer credit card information of customers, alongside SWIFT banking codes required to make transactions.

Cybercriminals able to infiltrate these systems can make a killing. Carbanak alone has managed to steal at least $1 billion from banks worldwide, and now, Cobalt is back on the scene with a new campaign against similar targets.

On Thursday, researchers from the Secureworks Counter Threat Unit (CTU) said the groupis “using their extensive resources and network insights to target high-value financial organizations around the world.”

Cobalt is a sophisticated hacking group known to pursue high-value financial targets rather than immerse themselves into mass spam campaigns or individual credential thefts. Active since at least 2016, the APT specializes in targeted, network intrusion to gain access to systems which can be compromised for the purposes of theft.

The hacking group’s latest campaigns are no different.

CTU has monitored Cobalt over the course of this year and has uncovered the deployment of SpicyOmelette, a malicious tool which is used during the initial phases of an attack against a financial institution.


SpicyOmelette (DOC2018.js) is a sophisticated JavaScript remote which grants attackers remote access to an infected system.

The malware is generally delivered via phishing emails which contain what appears to be a .PDF attachment. However, should a victim — such as a bank employee — click the file, they are redirected to an Amazon Web Services (AWS) URL controlled by Cobalt.

This page then installs SpicyOmelette, which is signed by a valid and trusted certificate authority (CA).

The sample of SpicyOmelette found by the security researchers also “passed parameters to a valid Microsoft utility, which allowed the threat actors to execute arbitrary JavaScript code on a compromised system and bypass many application-whitelisting defenses,” according to the team.

Once SpicyOmelette has been installed on a machine, the malware provides a crucial foothold in the target system for the operators.

The malware is able to harvest machine information such as IP address, system name, and running software application lists, install additional malware payloads and also scans for the presence of a total of 29 antivirus tools.

SpicyOmelette paves the way for privilege escalation via the theft of account credentials, the identification of systems containing lucrative financial data or transaction abilities — including payment gateways and ATM architectures — and the deployment of post-infection tools specifically designed to compromise these systems.


Cobalt has been connected to the theft of millions of dollars from financial institutions worldwide and is believed to have caused over €1bn in damages. Despite the arrest of the APT’s suspected leader this year, the group shows no sign of stopping.

“Arrests of suspected Gold Kingswood operators in March 2018 did not deter the threat group’s campaigns, likely due to its vast network of resources,” CTU says. “[We] expect Gold Kingswood’s operations and toolset to continue to evolve, and financial organizations of all sizes and geographies could be exposed to threats from this group.”

“The threat group’s detailed understanding of financial systems and history of successful campaigns make it a formidable threat,” the researchers added.


To read the original article:

Laisser un commentaire

Next Post

JUNO:New IoT botnet

Yesterday ,I discovered a new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims.Samples were served from the IPs: Malware Samples: 6ef2c695014f2333e52959f8f7694435:apep.arm5 ec2ab226adb580915e971650a5dc9d0f:juno.arm5 c5bfeeddfc81ed6a8cec93e33d7683b6:apep.mips e8795fa418d5e705c34825a72cda62c8:mpsl.b.1 158b90f1d244f3bb6927a3136a5d9c54:apep.arm6 60d836f51d4941e358dc14aa814ad3de:juno.mips dc9f29680764cef87f6d2f9de3394da0:arm7.b 33b2229ad39a2612d9de9f3db0034414:juno.mpsl f3f81a459c744240087e464bad8c5ea6:juno.ppc 976bef456a3818ab215722ace8427fcb:juno.arm7 ab317a66b9eefda1f2d787830b37dbf0:arm.b.1 5d89755d06ac03cedcf31eba3b8bab87:apep.m68k 5206d4e04e18b1f96ad00812854ffc77:apep.arm7 a8ad7d13901b696dc98bc977013976c4:apep.arm 5d4f6afc6a679af8f76ce8dad42b147b:juno.arm c328d3708faeb9fdda5c8507659cf5ad:apep.mpsl b28f84432c4dc1ec95c11e52e05d8da4:juno.sh4 a04919d207e8a7a14ebcf4ed5f78cb57:arm.b f8fb37a5df5ffefc6d33e4ee79d2ce75:arm5.b f52fbf7258422171312f2f7d4fc0ad74:apep.x86 […]