Cobalt Group 2.0
Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Cobalt Group 2.0

Posted by Michael Gorelik on October 8, 2018
Find me on:

Over the past year, Morphisec and several other endpoint protection companies have been tracking a resurgence in activity from the Cobalt Group. Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. The most recent attacks can be grouped into two types of campaigns. Many of the campaigns are based on the known and prevalent ThreadKit exploit kit generation framework. Other campaigns are more sophisticated, borrowing only some functionality from ThreadKit builder while incorporating additional advanced techniques from other sources.

Cobalt header img

Morphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in March of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28  (aka Fancy Bear) and MuddyWater.

One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Morphisec has investigated different samples from the same campaign. The following analysis presents our findings, focusing on the additional sophistication patterns and attribution patterns.

Cobalt Group Technical Details

Stage 1 - Word Macro + Whitelisting Bypass

As with many other campaigns, the victim received a document with malicious macro visual basic code.

ThreadKit Builder

Although the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting from the Frame1_Layout function – this method is used much less frequently than the obvious Document_Open or the AutoOpen.

CGsplit-2

The list of additional possible execution triggers is defined here: https://www.greyhathacker.net/?p=948

The macro is executing the legitimate Windows process cmstp.exe (connection manager Profile Installer). This technique was previously used by the MuddyWater group when attacking Middle East targets. The use of cmstp.exe whitelisting bypass was researched by Oddvar Moe, where he showed how, by manipulating the inf file, cmstp can execute scriptlets or executables.

CGsplit-3

In our case the attacker abused cmstp to execute JavaScript scriptlet (XML with JS) that is downloaded from the e-dropbox[.]biz site. This way the group limited the exposure and the delivery of the JavaScript to relevant targets only.

Stage 2 - JavaScript Dropper + Whitelisting Bypass

The JavaScript is well encoded with rc4 and some custom modifications:

CGsplit-4

The decrypted JavaScript has some similar functionality to the ThreadKit builder which is heavily used by the Cobalt Gang 1.0.

CGsplit-5

As can be seen from the deobfuscated code, the JavaScript yet again bypasses whitelisting by manipulation of regsvr32.exe, another legitimate Windows process. The two dropped artifacts – a payload DLL and a Word document – are written to the “Users\<Log on User>\” folder (the document will replace the opened malicious document with clean stub after killing the running Word process).

Stage 3 - PureBasic Legitimate Executable Mixed with Additional Malicious Functions

The dropped DLL is actually a PureBasic compiled code and a legitimate application. The application is not signed (as many other PureBasic applications) and therefore easily manipulated to execute inserted malicious code. In this case, the exported function DllRegisterServer wasn’t part of the legitimate application and is perfect for application flow redirection when executed by regsvr32.exe. Because PureBasic is a full programming language that compiles to assembly and has endless possibilities and APIs to manipulate the memory, it also complicates the generation of patterns by security vendors that base their detection on static or dynamic pattern signatures. Although some security solutions will block all PureBasic programs (wrong move – there are plenty of legitimate PureBasic programs in use today), it’s a smart move made by the attacker group.

CGsplit-6

To function properly, the malicious injected code needs to reflectively load and map to existing core functions. The same code also applies anti-disassembly and anti-debugging techniques. It gets the following functions from Kernel32 and Advapi32:

CGsplit-7

The code then uses the identified functions to add persistency through registry and add next stages file names identifier through the following locations:

  • HKCU\Environment\UserInitMprLogonScript – next stage command (JavaScript downloader executed through regsvr32) is registered under UserInitMprLogonScript.
  • HKCU\Software\Microsoft\Notepad\<$UserName$> - The code creates a new value under Notepad Key with a pair representing randomly generated key pair. The right side of the pair is the name of the JavaScript in the next stage (stage 4) , while the left side of the pair represents the file that will be downloaded as part of stage 5.

CGsplit-8

Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks.

As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript.

CGsplit-9

Stage 4 - JavaScript  Downloader + Whitelisting Bypass

Here, the scriptlet is automatically obfuscated in a way similar to the first scriptlet:

CGsplit-10

After quick deobfuscation, we get to a clear JavaScript that is trying to download the next stage JavaScript backdoor using the same regsvr32. Note that the name for the JavaScript is part of the Notepad registry key that was written in a previous stage.

CGsplit-11

The script also validates that no one changed the name of the executed file that was randomly given during the previous stage. If the name of the executed JavaScript doesn’t match the name registered in the Notepad registry key, the script will not execute (researchers sometimes change the names of the files to execute the different stages separately – this will not work in this case).

Cobalt Group split-12

This decoded JavaScript downloader is almost identical to downloader previously seen around one year ago - https://twitter.com/ItsReallyNick/status/914894320766943232. 

Stage 5 - JavaScript Backdoor

The last stage JavaScript is downloaded from hxxps://server.vestacp[.]kz/robots.txt.

The JavaScript is obfuscated the same way as in the previous stages. After deobfuscation, we encounter a backdoor that was used in attacks against Russian speaking businesses in August 2017. This backdoor protocol of commands here is almost identical to the previously described backdoor, aside from some name changes:

  • "d&exec" – Download an executable or a dll (if it’s a dll, use regsvr32 to execute it)
  • "more_eggs" – Downloads and replace the existing backdoor script with new script
  • "gtfo" – Clean traces, remove persistency and stage 4,5 files
  • "more_onion" – Execute the Backdoor script
  • "via_x" – execute cmd / shell commands locally

CGsplit-13

As with every communication with the C2, the script collects and sends information about the target environment including the stack of security solutions installed on the computer and are part of the following list:

CGsplit-14

Artifacts

https://github.com/smgorelik/Meetups/blob/master/09272018_Meetup.7z

Conclusion

As organizations improve their defenses, attackers find new ways to get around them. Threat groups such as Cobalt are increasingly incorporating delivery techniques that allow them to easily bypass whitelisting and AppLocker policies, and we see more and more attacks using legitimate processes to carry out their malicious intent.

Although some of the decrypted artifacts have been seen in the wild since the beginning of the year (or earlier), the attack is still very effective as many security solutions do not detect the artifacts once they are obfuscated and encrypted. The need for  a different approach to security is greater than ever. Moving Target Defense, as defined by the DHS and implemented by Morphisec, breaks the assumptions made by the attackers. The Morphisec Preemptive Cyber Defense Platform natively prevents the attack before it can perform any type of malicious activity, no updates needed.

Organizations should expect to see much more coming from all Cobalt Group factions during the next year. Contact one of our security experts to learn how Morphisec protects your business from this and future Cobalt attacks.

Get a Demo of Morphisec