Multi-Stage Malware Heavily Used in Recent Cobalt Attacks
14.9.18 securityweek Attack 

The Russia-based Cobalt hacking group has made heavy use of the CobInt malware in recently observed campaigns, Proofpoint’s security researchers warn.

The Cobalt Gang appeared to have stopped using the malware as a first-stage downloader earlier this year, but an August campaign targeting Russian and Romanian banks revealed that they are using it again.

Known for targeting financial institutions worldwide, the group has also launched cyberattacks against organizations in the government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare industries.

Since July, the multi-stage CobInt malware has been a constant presence in the threat actor’s attacks, delivered via malicious Office documents built using the ThreadKit exploit builder.

The malicious documents are targeting recent vulnerabilities in Microsoft Office, namely CVE-2017-8570, CVE-2017-11882, and CVE-18-0802. The malicious files either attempt to drop a stage 1 payload or link to the CobInt downloader directly.

Between August 2 and September 4, Proofpoint detected four Cobalt attacks attempting to drop CobInt. The most recent of the incidents leveraged an Office document with a relationship object to fetch an external VBscript exploiting CVE-18-8174 for the payload’s execution.

Written in C, CobInt is a downloader malware that can be broken up into three stages: an initial downloader, the main component, and additional modules.

The first stage’s purpose is to download the main CobInt component. It features encrypted command and control (C&C) host and URI, hides its functionality through the use of Windows API function hashing, and downloads the next stage via HTTPS.

CobInt’s main component is downloaded in the form of a DLL that stage 1 also executes. The main component fetches and runs various modules from the C&C. The malware uses HTTPS to communicate with the server.

Proofpoint’s researchers discovered four commands that the C&C server can send to the malware: load/execute module; stop polling C&C; execute function set by module; and update C&C polling wait time.

Loaded as shellcode, the modules start executing at the indicated entry point. The malware was observed loading two modules from the C&C, one to send a screenshot to the server, and the other to send a list of running process names.

These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.

“CobInt provides additional evidence that threat actors […] are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest. […] This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles,” Proofpoint concludes.