Meet CrowdStrike’s Adversary of the Month for September: COBALT SPIDER

COBALT SPIDER is a financially-motivated criminal group responsible for attacks on financial institutions (FIs) in Russia, Central Asia and Eastern Europe.

The adversary uses spear-phishing emails containing malicious attachments to gain access to corporate infrastructure, often exploiting known vulnerabilities through publicly available malware and tools, and was named because they are associated with the use of the Cobalt Strike Beacon payload in their operations.

Cobalt Strike is a commercial penetration testing tool that gets loaded into RAM and allows the attackers to open a connection to the infected machine, manage and download additional modules, log keystrokes and conduct port scanning. The Mimikatz module is used to harvest credentials and escalate privileges, giving the attackers greater control of the machine and access across the network.

COBALT SPIDER achieves persistence on the victim’s machine by creating a startup path to launch malicious code using PowerShell, which subsequently invokes a connection to a C2 server to reinstall the Cobalt Strike payload each time the machine is rebooted, rather than writing it to disk. Native Windows operating system capabilities, such as Explorer, are used to connect to additional machines and move laterally within the victim network.

The adversary monetizes attacks by targeting ATM machines and issuing commands to dispense cash in a technique termed “Jackpotting.” The cash is then collected by a network of money mule operatives who work as part of the campaign team.

It should be noted that COBALT SPIDER actors are not the developers of the Cobalt Strike penetration testing tool and should not be confused with other adversaries also using this software in campaign activity.

Cobalt Group and Cobalt Gang are community/industry names associated with this actor.

Other Known Criminal Adversaries

Curious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries that the CrowdStrike team discovers.

Learn More

To learn more about how to incorporate intelligence on threat actors like COBALT SPIDER into your security strategy, please visit the Falcon Threat Intelligence page.

Want the insights on the latest adversary tactics, techniques, and procedures (TTPs)? Download the CrowdStrike 2019 Global Threat Report: Adversary Tradecraft and The Importance of Speed

Adam Meyers

Adam Meyers has authored numerous papers for peer-reviewed industry venues and has received awards for his dedication to the information security industry. As Vice President of Intelligence for Crowdstrike, Meyers oversees all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Previously, Meyers was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International where he provided technical expertise at the tactical level and strategic guidance on overall security program objectives.

Other Known Criminal Adversaries

Learn More

Adam Meyers

WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN

Huge Fan of Your Work: How TURBINE PANDA and China’s Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet

Ransomware Increases the Back-to-School Blues