Cobalt Group | APT Profile

Description

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between [Cobalt Group](https://attack.mitre.org/groups/G0080) and both the malware [Carbanak](https://attack.mitre.org/software/S0030) and the group [Carbanak](https://attack.mitre.org/groups/G0008).(Citation: Europol Cobalt Mar 2018)

Techniques Used (TTPs)

T1566.001 — Spearphishing Attachment (initial-access)
T1105 — Ingress Tool Transfer (command-and-control)
T1027.010 — Command Obfuscation (defense-evasion)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1218.008 — Odbcconf (defense-evasion)
T1195.002 — Compromise Software Supply Chain (initial-access)
T1518.001 — Security Software Discovery (discovery)
T1559.002 — Dynamic Data Exchange (execution)
T1204.002 — Malicious File (execution)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1218.003 — CMSTP (defense-evasion)
T1218.010 — Regsvr32 (defense-evasion)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1059.001 — PowerShell (execution)
T1588.002 — Tool (resource-development)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1059.005 — Visual Basic (execution)
T1203 — Exploitation for Client Execution (execution)
T1070.004 — File Deletion (defense-evasion)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1220 — XSL Script Processing (defense-evasion)
T1071.004 — DNS (command-and-control)
T1059.007 — JavaScript (execution)
T1566.002 — Spearphishing Link (initial-access)
T1204.001 — Malicious Link (execution)
T1059.003 — Windows Command Shell (execution)
T1071.001 — Web Protocols (command-and-control)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1572 — Protocol Tunneling (command-and-control)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1219 — Remote Access Tools (command-and-control)
T1046 — Network Service Discovery (discovery)
T1037.001 — Logon Script (Windows) (persistence, privilege-escalation)

Total TTPs: 34

Malware & Tools

Malware: Cobalt Strike, More_eggs, SpicyOmelette

Tools: Mimikatz, PsExec, SDelete

← Return to Home ← Back to APT Search