Alerts

The Cobalt hacking group specialized in breaching the networks financial institutions and banks is now using a new variant of the ThreadKit exploit builder kit for Microsoft Office documents.

Observed in a campaign on October 30, the new tactics show an evolution of the ThreadKit macro delivery tool. The final payload downloaded this way is the CobInt, a signature malware for the Cobalt group.

Small progress still counts as moving forward

The exploit building framework was first noticed in October 2017, although it had been used in campaigns as early as June that year leveraging CVE-2017-0199 that had exploit code publicly available.

Security researcher Kafeine tweeted at the end of May that the author of ThreadKit sold the tool for $400. This offer enabled numerous actors and groups to use the exploit kit builder for their operations.

An analysis from Fidelis cybersecurity company shows that new ThreadKit places into its own object the ‘M’ in the ‘MZ’ DOS format for executable files, and renames several of the objects inside.

The researchers saw this slight evolution in a document downloaded from a domain name (“sepacloud[.]org”) that pretended to be tied to the Single Euro Payments Area (SEPA) initiative for simplifying euro payments.

CobInt, also known as COOLPANTS, is a backdoor used by Cobalt for reconnaissance purposes that was discovered on a command and control (C2) server operated by the hackers.

 

Cobalt group has great phishing skills

The hacker outfit is using phishing to reach their target’s network.

Also, they use domain names that impersonate financial institutions and could easily fool an individual.

The activity of the group slowed down earlier this year when its alleged leader was arrested in Spain. Two months later, though, Cobalt operations were again spotted by security researchers.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

XtremeRAT is a widely known Remote Access Tool. The tool was originally created by a freelance coder with the alias of xtremecoder. It is one of the most commonly available RATs offered in cybercrime communities. XtremeRAT is used as general spyware and to facilitate computer intrusions. XtremeRAT is often delivered via phishing and drive-by downloads. XtremeRAT was in the spotlight in the recent years after being used in high profile espionage operations targeting the Israeli government in 2012. Meanwhile, the same attackers were also targeting US and UK government organizations. Several Latin American nations were also targeted using this tool during in 2013.

Response

When XtremeRAT infection is suspected, perform the following steps:

  • Gather the process list at the moment of the infection. This will provide the responder with a clear view of the process that might have caused the infection. However, XtremeRAT process names can be highly customizable.
  • Take a memory image of the compromised host in order to investigate the infection further.

Network indicators for this tool are very trivial to detect given the moderate encoding the network traffic has. The handshake always starts with a variation of myversion:version number (Private|public). The Version number varies; the ones observed in the wild have been 3.6 public and private. In addition, the server response always starts with the following byte sequence \x58\x0d\x0a.

Capabilities

XtremeRAT offers a wide selection of features that often leave easily detectable footprints on the system. These include:

  • Interactive remote shell.
  • List installed programs
  • Registry editor
  • Process manager, connection monitor, registry editor and file manager.
  • Download/Execution of files and scripts.
  • Remote camera monitoring.
  • Proxy.
  • USB spreader.
  • Self deletion after infection.
  • Remote mic monitoring.
  • Keylogger.
  • Open chat.
  • Install, uninstall, update, restart, disconnect, rename server on demand.
  • Password stealer

Host Indicators

Systems infected with XtremeRAT have several host based indicators. These are:

The tool performs injection in the following processes:

  • calc.exe
  • notepad.exe
  • explorer.exe
  • svchost.exe
  • firefox.exe
  • iexplorer.exe
  • chrome.exe
The information contained in this website is for general information purposes only. The information is gathered from Anomali Labs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cryptominers have dethroned ransomware as the top malware threat and cybercriminals are coming up with new ways to keep the mining activity secret from the victims.

One of these includes tricking users into unknowingly downloading and running the mining software via a fake Adobe Flash updater. To keep up appearances, the fake updater uses pop-up notifications from the official Adobe installer.

The campaign

At the start of August, Palo Alto Networks researchers have noticed Windows executables file names starting with AdobeFlashPlayer__ being served from non-Adobe, cloud-based web servers.

They couldn’t discover how potential victims were arriving at the URLs delivering these fake updates, but they could test them.

They discovered that the updater does an exceptional job at impersonating the official Adobe installer and actually also updates a victim’s Flash Player to the latest version. But, in the background, it also installs the XMRig Cryptocurrency miner.

There is an indication that the update might not be legit: Windows does provide a warning about it being from an unknown publisher:

 

Unfortunately, many users fail to understand and heed such warnings.

“Network traffic during the infection consisted mainly of the Flash update. But my infected lab host soon generated traffic associated with XMRig cryptocurrency mining over TCP port 14444,” Palo Alto’s Brad Duncan noted.

Spotting covert cryptomining activity is difficult without security software or software that shows insight into the network traffic going to and from one’s computer. Users may notice that their machine has become more sluggish, but even that clue is often overlooked.

Judging by Palo Alto’s detections, this malware delivery campaign is still going strong. “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates,” Duncan pointed out.

 

The information contained in this website is for general information purposes only. The information is gathered from HelpNet Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.