The hacker grouping Cobalt is from Russia and it extended the sphere of activity in 2017. The Russian information agency RBK reported this citing the Positive Technologies Company that specializes in the information security sphere.
According to the report, Cobalt sent out the phishing scam letters that contained the infected files to more than 3 000 of users from 250 companies in 12 countries of the world in 2017. The companies from North America, Western Europe and South America are added to the list of the attack along with the usual countries of CIS, Eastern Europe and Southeast Asia. The exchanges, insurances companies, investment funds and other organizations became the part of the sphere of the interest while earlier the grouping was interested only in the banks.
‘The attacks on the nonfinancial organizations were made to prepare the platform for the further attacks at the banks. For example, the hackers can send out the phishing scam letters on behalf of the regulator or bank’s partner for whom the service is provided’, the Deputy of the Head of the Competence Center for Expert Services of Positive Technologies Company Oleksy Novikov.
Also, the grouping massively sends out the phishing scam letters from the fake domains that imitate the messages from Visa, MasterCard, the Cyber Attacks Center in the financial sphere of the Central Bank of Russia and National Bank of the Republic Kazakhstan as the Positive Technologies said. Cobalt used 22 fake domains that imitated the websites of the financial organizations and their counter agents for these purposes.
The typical Cobalt attack consists of a few stages. Firstly, they register the fake domains that pretend to be owned by big companies. Then, the phishing mailout that contains the infected files is made to the banks and their counter agents. The program that does not allow the anti-virus to react launches after the opening of this attachment by the user. Then the Trojan program is downloaded to the computer and it provides the remote access to the work computer. Then the hackers can develop the attack inside the organization or send it to another.