Financial hacking teams FIN7, Cobalt Group update tactics to haunt banks and retail

It's like a never-ending greatest hits tour.
(Gety Images)

It’s starting to look like the global private sector might have a real problem on its hands.

Despite international media attention and a series of high-profile arrests, some of the world’s most prolific cybercriminals only seem to be accelerating their hacking sprees.

Financially motivated hacking groups including FIN7, Cobalt Group and the Contact Crew remain active, staying busy well into this year, according to Accenture Security’s 2019 Threatscape report. The cybercrime syndicates, which have haunted financial and retail companies since at least 2016, have spent the first half of 2019 updating their malicious software tools and expanding their reach.

The findings are more bad news for international companies, which last year saw cyberattacks rank among the biggest risks for companies worldwide, according to the World Economic Forum.


Now, if Accenture’s 102-page report is any indication, the world’s most capable hackers only are fine-tuning their techniques to carry out targeted intrusions. This comes despite the fact that companies are writing six-figure checks in the hopes that cybersecurity products will keep criminals out of the company coffers.

“This attack trend, which is sometimes referred to as ‘big game hunting,’ can include the use of a wide range of bespoke malware and commodity ‘crimeware’ malware available for download or purchase from underground forums and marketplaces, including banking Trojans, information stealers, keyloggers and loaders,” the report stated.

Top-tier scammers also used legitimate penetration tools like Metasploit, Cobalt Strike, Powershell Empire, Meterpreter and Mimikatz to break into victims’ systems.

The FIN7 group is perhaps the most notable example of a financially motivated hacking group that refuses to go silent, despite an indictment against three Ukrainians made public in August 2018. An organized crime group that researchers have suggested may be accountable for stealing $1 billion, FIN7 has shifted to use a software backdoor called Gudwin (or Griffon) and relies on “legitimate documents with embedded images from remote sources to identify individuals who are likely to open malicious documents.”

While the accused FIN7 ringleader recently was extradited to the U.S. to stand trial, the rest of the group remains focused on infiltrating the retail and hospitality industries, Accenture said with “moderate” confidence.


Meanwhile the Cobalt Group, another financially motivated group distinct from FIN7, has kept up its work against financial services in the U.S., European countries and nations in the Commonwealth of Independent States, including Russia. Researchers from Palo Alto Networks caught the group trying to evade detection while breaching banks last year, though attackers since then have relied mostly on the malware family known as ConInt, or COOLPANTS. CobInt enables thieves to collect intelligence from targets by monitoring desktop activities and, in some cases, pull up the CobaltStrike malware.

Also known as Silence, the Contact Crew focused on automated teller machines, first using phishing emails to infect desired targets. Contact Crew is the prime suspect in the theft of $3 million from Dutch Bangla Bank ATMs, when money mules made a series of cash withdrawals ending on May 31 of this year.

“The group also has custom proxy toolsets that can be deployed to enable access to harder-to-reach networks, such as those inside financial institutions,” Accenture stated. “Contact Crew uses multiple stages of execution to include the use of legitimate system utilities to increase obfuscation and dwell time.”

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts