Cobalt threat group serves up SpicyOmelette in fresh bank attacks

The Cobalt Gang has been connected to the theft of millions of dollars from financial institutions worldwide.
Written by Charlie Osborne, Contributing Writer

Advanced persistent threat group (APT) the Cobalt Gang, also known as Gold Kingswood, is spreading SpicyOmelette malware in campaigns targeting financial institutions worldwide.

In a world where cyberattacks against businesses and consumers alike are spreading and evolving in nature and sophistication, it is often financial institutions which bear the brunt.

Banking customers hoodwinked by fraudulent schemes or those that become the victims of theft through the loss of their financial credentials will often try to claim back lost funds -- of which, banks appear to vary when it comes to compensation.

Some banks attempt to lay the responsibility of fraud at their customers' feet to reduce the expense. However, it is not just customers that can become victims, but the institutions themselves.

Read on: Here's the one surprising lesson I learned as a victim of debit card fraud

A bold bank heist in 2017 was attributed to Lazarus, which managed to fool employees into transferring $80 million from the Central Bank of Bangladesh's New York Federal Reserve account.

This was followed by a financial loss of $13.5 million suffered by Cosmos Bank, one of India's oldest financial institutions. Malware infected the bank's ATM server in order to facilitate the theft of customer credit card information of customers, alongside SWIFT banking codes required to make transactions.

Cybercriminals able to infiltrate these systems can make a killing. Carbanak alone has managed to steal at least $1 billion from banks worldwide, and now, Cobalt is back on the scene with a new campaign against similar targets.

TechRepublic: PCI compliance slipping for first time in 6 years, but IT remains on top

On Thursday, researchers from the Secureworks Counter Threat Unit (CTU) said the group is "using their extensive resources and network insights to target high-value financial organizations around the world."

Cobalt is a sophisticated hacking group known to pursue high-value financial targets rather than immerse themselves into mass spam campaigns or individual credential thefts. Active since at least 2016, the APT specializes in targeted, network intrusion to gain access to systems which can be compromised for the purposes of theft.

The hacking group's latest campaigns are no different.

CTU has monitored Cobalt over the course of this year and has uncovered the deployment of SpicyOmelette, a malicious tool which is used during the initial phases of an attack against a financial institution.

CNET: Trump OKs 'offensive cyber operations' as deterrent against US rivals

SpicyOmelette (DOC2018.js) is a sophisticated JavaScript remote which grants attackers remote access to an infected system.

The malware is generally delivered via phishing emails which contain what appears to be a .PDF attachment. However, should a victim -- such as a bank employee -- click the file, they are redirected to an Amazon Web Services (AWS) URL controlled by Cobalt.

This page then installs SpicyOmelette, which is signed by a valid and trusted certificate authority (CA).

The sample of SpicyOmelette found by the security researchers also "passed parameters to a valid Microsoft utility, which allowed the threat actors to execute arbitrary JavaScript code on a compromised system and bypass many application-whitelisting defenses," according to the team.


Once SpicyOmelette has been installed on a machine, the malware provides a crucial foothold in the target system for the operators.

The malware is able to harvest machine information such as IP address, system name, and running software application lists, install additional malware payloads and also scans for the presence of a total of 29 antivirus tools.

SpicyOmelette paves the way for privilege escalation via the theft of account credentials, the identification of systems containing lucrative financial data or transaction abilities -- including payment gateways and ATM architectures -- and the deployment of post-infection tools specifically designed to compromise these systems.

See also: How hackers managed to steal $13.5 million in Cosmos bank heist

Cobalt has been connected to the theft of millions of dollars from financial institutions worldwide and is believed to have caused over €1bn in damages. Despite the arrest of the APT's suspected leader this year, the group shows no sign of stopping.

"Arrests of suspected Gold Kingswood operators in March 2018 did not deter the threat group's campaigns, likely due to its vast network of resources," CTU says. "[We] expect Gold Kingswood's operations and toolset to continue to evolve, and financial organizations of all sizes and geographies could be exposed to threats from this group."

"The threat group's detailed understanding of financial systems and history of successful campaigns make it a formidable threat," the researchers added.

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards