Cobalt Threat Group Dishing Out SpicyOmelette

Cobalt Threat Group Dishing Out SpicyOmelette

Cobalt Gang, also known as Gold Kingswood, is spreading SpicyOmelette malware – targeting banking and other financial institutions worldwide.

Cyberattacks against banks and its clients alike are spreading and evolving in nature and complexity – it is often financial institutions which bear the burden. Banking customers being deceived by fraudulent schemes or those that become the victims of theft through the loss of their financial credentials will often try to claim back lost funds when it comes to compensation.

Just this Thursday, security researchers from the Secureworks Counter Threat Unit (CTU) said the group is “using their extensive resources and network insights to target high-value financial organizations around the world.”

The Cobalt threat group is known to engage high-value financial targets rather than wasting time in mass spamming campaigns or individual credential thefts. Active since 2016, the group specializes in targeted, network infiltration in order to gain access to systems which can be exposed for the purposes of theft.

The hacking group’s latest campaigns are no different.

CTU has monitored Cobalt over the course of this year and has discovered the deployment of SpicyOmelette, a malware tool used during the initial phases of an attack against a financial institution.

SpicyOmelette (DOC2018.js) is a complex JavaScript remote which grants attackers remote access to an infected system.

The malware in general is delivered via injected phishing emails which contain what appears to be a .PDF attachment. However, should a victim – let’s say, a bank employee – clicks the file, they are automatically redirected to an Amazon Web Services (AWS) URL being controlled by Cobalt.

This page then unknowingly installs SpicyOmelette, which is signed by a valid and trusted certificate authority (CA).

A sample model of SpicyOmelette found by the security researchers also “passed parameters to a valid Microsoft utility, which allowed the threat actors to execute arbitrary JavaScript code on a compromised system and bypass many application-whitelisting defenses,” according to the team. Once SpicyOmelette has been installed on a machine, the malware delivers a critical traction in the target system for the Cobalt Gang. The malware is able to gather machine information such as IP addresses, system names, and running software applications, install additional malware payloads and also scans for the presence of a total of 29 antivirus tools.

SpicyOmelette paves the way for privilege escalation via the theft of account credentials, the identification of systems containing lucrative financial data or transaction abilities — including payment gateways and ATM architectures — and the deployment of post-infection tools specifically designed to compromise these systems. Cobalt has been blamed for the theft of millions of dollars from financial institutions worldwide and is believed to have caused more than €1bn in damages.

This just means they are not stopping anytime soon. The threat group’s in-depth understanding of financial systems and history of successful attacks makes it a formidable adversary.

About the author

Leave a Reply