skip to Main Content

The Cobalt cybercrime group is still active and uses Kaspersky as a lure

The cybercrime hacker group Cobalt, despite the recent arrest of his boss, is still active and has just launched a new campaign using Kaspersky as bait

Cobalt, the cybercrime hackers whose leader was arrested 2 months ago in Spain, is still active and has just launched a new malicioius campaign. It has been reported by cyber security experts of Group-IB. The group, specialized in cyber-attacks against banks and financial institutions, since May 23 has again targeted the sector in Russia and former Soviet Union countries, with phishing emails. The lure is false Kaspersky (not involved in the aggressions) security alerts related to a complaint about an alleged violation. The users were asked to carefully read the attached email and provide detailed explanations. If a response was not received within 48 hours, the “anti-virus company” threatened to impose sanctions on the recipient’s web resources. In order to download the email, the user was asked to follow a link, which would then infect the Bank employee’s computer.

How the Group-IB linked Cobalt to the new cyber-attacks with phishing email to banks and financial institutions at a global level

The Group-IB linked Cobalt to the malicious cyber campaign thanks ti some elements. Starting from the use of the unique Trojan “Coblnt” for the cyber-attacks, which has been in the inventory of the cybercrime group since the end of December 2017. Furthermore the emails were sent from a domain titled “kaspersky-corporate[.]com. Upon review it was discovered that this domain name was registered by a person with the same name as with previously registered domains for Cobalt attacks. the only novelty is Kasrpersky as the lure. It’s the first time that the anti-virus company name is used for criminal operations on the web. Moreover the campaign could be target non only banks and financial institution in the russian area, but also abroad. The language of the emails is in English, to spread them globally.

Some elements let the cyber security expert suggest that the malicious hacker could operate joint with other groups. Especially Anunak

In the malicious Cobalt cyber campaign there is a new element that worries the cyber security experts. The quality of phishing emails is high, as the text in English stylized as a “legal complaint”, as the fake website kaspersky-corporate[.]com. This is not typical of the cybercrime group. So, these and other signs, again pointed to the possibility that the remaining members of the Cobalt were conducting a joint operation with other criminal groups, in particular, Anunak. Until not, however, the malicious hackers have gained more or lesso ne billion euros from 100 banks in 40 countries, with an average of 10 millions for a single operation, using different mehtods. From false SWIFT transactions to ATM hacking.

The complete Group-IB analysis on the new threat

Back To Top