Advertisement

Cobalt Group tries to slip malicious PDFs past bank employees, researchers say

The Cobalt Group is at it again, and user education is key to stopping them.
(Getty Images)

A financially-motivated hacking group is trying to evade detection while it targets bank employees across the globe, according to research from cybersecurity company Palo Alto Networks.

The Cobalt Group (also known as the Cobalt Gang) this month sent PDF files to bank employees to try to get them to download malicious macros, said researchers from Palo Alto Networks’ Unit 42 threat intelligence team. It is just the latest in a series of activities from a group linked to brazen heists on ATMs and the SWIFT banking-transaction system that researchers say have cost millions of dollars.

The recent attack tracked by Unit 42 is simple – the PDF document doesn’t have code or an exploit. Instead, the attackers use social engineering to try to get the bank employees to download the macros.  A link embedded in the PDF redirects the target to a malicious document.

“Hiding in plain sight is a well-known tactic and that’s what we see these attackers doing,” a Unit 42 researcher told CyberScoop. The researcher declined to describe the geographic location of the targets.

Advertisement

Despite having its alleged ringleader arrested earlier this year, the Cobalt Group has been unrelenting in targeting financial institutions. In August, researchers from Netscout’s Arbor Networks said the group had targeted two banks in Romania and Russia with spearphishing emails. And not only is the group undeterred, it is also using some of the same malicious domains it has in the past, according to Unit 42.

In the latest Cobalt Group attack, the hackers designed the PDF to look more authentic by putting text on some pages and leaving others blank. The PDF “avoids almost all traditional [antivirus] detection, resulting in a very effective transport of the first stage of the attack via email,” a Unit 42 blog post states.

The use of email – a very common vector for hackers – and a simple but authentic-looking PDF means that thwarting this Cobalt Group attack comes down to educating users, the researchers point out.

“With these attacks in particular, effective prevention happens on a person-by-person basis as the attack relies on a person clicking a link to launch the attack,” the Unit 42 researcher told CyberScoop. “So long as these attacks are successful, every organization and individual can always do better. And here we see again the importance of user education and the person in front of the computer as the last, vital line of defense.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts