A financially-motivated hacking group is trying to evade detection while it targets bank employees across the globe, according to research from cybersecurity company Palo Alto Networks.
The Cobalt Group (also known as the Cobalt Gang) this month sent PDF files to bank employees to try to get them to download malicious macros, said researchers from Palo Alto Networks’ Unit 42 threat intelligence team. It is just the latest in a series of activities from a group linked to brazen heists on ATMs and the SWIFT banking-transaction system that researchers say have cost millions of dollars.
The recent attack tracked by Unit 42 is simple – the PDF document doesn’t have code or an exploit. Instead, the attackers use social engineering to try to get the bank employees to download the macros. A link embedded in the PDF redirects the target to a malicious document.
“Hiding in plain sight is a well-known tactic and that’s what we see these attackers doing,” a Unit 42 researcher told CyberScoop. The researcher declined to describe the geographic location of the targets.
Despite having its alleged ringleader arrested earlier this year, the Cobalt Group has been unrelenting in targeting financial institutions. In August, researchers from Netscout’s Arbor Networks said the group had targeted two banks in Romania and Russia with spearphishing emails. And not only is the group undeterred, it is also using some of the same malicious domains it has in the past, according to Unit 42.
In the latest Cobalt Group attack, the hackers designed the PDF to look more authentic by putting text on some pages and leaving others blank. The PDF “avoids almost all traditional [antivirus] detection, resulting in a very effective transport of the first stage of the attack via email,” a Unit 42 blog post states.
The use of email – a very common vector for hackers – and a simple but authentic-looking PDF means that thwarting this Cobalt Group attack comes down to educating users, the researchers point out.
“With these attacks in particular, effective prevention happens on a person-by-person basis as the attack relies on a person clicking a link to launch the attack,” the Unit 42 researcher told CyberScoop. “So long as these attacks are successful, every organization and individual can always do better. And here we see again the importance of user education and the person in front of the computer as the last, vital line of defense.”