The financially-motivated “Cobalt” hackers have been establishing a foothold onto victim machines using a piece of malware called SpicyOmelette, Secureworks reveals.
Active since at least 2016 and also referred to as GOLD KINGSWOOD, the Cobalt Gang has been credited with a variety of attacks against , including recent attacks against .
Using techniques similar to those employed by state-sponsored actors, the Cobalt group is believed to have stolen around $1.2 billion as of March 2018, Secureworks’ security researchers .
SpicyOmelette, they explain, is a tool used mainly during the initial exploitation of a targeted organization. Usually delivered via phishing emails, the malware includes a series of evasion techniques to hinder prevention and detection.
The hackers used a valid digital certificate to sign the malicious script. Although users might have been warned about running external content, the system would have also indicated that the script was signed with a valid certificate.
Capable of detecting the presence of 29 different antivirus tools on the infected system, the RAT allows attackers to profile the machine by gathering information such as running software, system name, IP address, and the like, as well as to install additional malware.
The malware and other post-compromise tools regularly used by Cobalt can then be leveraged to escalate privileges through the theft of account credentials, to evaluate the compromised environment and identify desirable systems, and to deploy malware specifically designed to target those systems.
Secureworks expects the Cobalt Gang to continue to evolve its toolset and operations, suggesting that financial organizations of all sizes and in all geographies could be exposed to the group’s attacks. Due to its history of successful campaigns, the actor should be seen as a formidable threat, the researchers say.