Request a Demo
Rewterz
Rewterz Threat Alert – BRONZE PRESIDENT Active in South and East Asia
December 31, 2019
Rewterz
Rewterz Threat Alert – Emotet Targets Victims With New Email Templates
January 1, 2020

Rewterz Threat Alert – Cobalt Group Operations Targeting Financial Institutions

Severity

High

Analysis Summary

Cobalt group activities against financial institutions have been discovered using the CobInt malware family. The malspam e-mail distribution associated with these activities have a direct connection with subsequent successful attacks on the bank’s infrastructure (PCs, card systems, etc.). In particular, there were recorded cases of successful ATM Cashout attacks (substantial withdrawals from ATMs) and ATM jackpotting attacks (unauthorized delivery of funds from bank ATMs with the help of a remote criminal team) in countries within Europe, Eastern Europe, and Central Asia.

Impact

  • Theft of financial information
  • Fraudulent transactions

Indicators of Compromise

Domain Name

  • recreationbike.info
  • adminassistance.info

From Email

  • service@sonshinellc.com

MD5

  • ffb1a030d9f01d6c7f2d9299728dd4b1
  • 7901f9317baa81dc6cef72809d003929
  • 82fc2a2b268a43b842cf5c0666633642
  • 7d339ee10e6561f1fb9de3ab05dd4fb8
  • b372fd09864d839112b79b7f0675f7df
  • fd6e378ee8e518113893e4f157efe74e
  • ab2c0d36529119e91fa84562a03307f7
  • 88921c119f409b6db12e7559b0a64066

SHA-256

  • a543875233178887968d760b2d16c12ecdf4ff54d1ded8bd8416a0b560b0d3f9
  • 614e2555e87052bd095630d408e8217814307a3ad9ddec832414628276e7014f
  • cdd87d3cc8807c18d7fb2f67768f4db76506deaabfc57a47ff2f5f5c798e9951
  • bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c
  • 893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7
  • bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c
  • fe16a85a3f0094134eef4ba209c188a186ed269de90a6b5a84bcc4b90470cc79
  • 2c542c38d15d6e25cf33e742716bf1ca14db791d568686ccd8ca09cadda83c7e
  • 1d772438392b1e84d3ce800e181603646ae675e8572f7f741184b83537c5451f

SHA1

  • 28f92813a6539d498617131453f18c2905ad3a61
  • 72aff6b2e5768d178fe750593f7a2a21013c7148
  • c08c1dfafbbf215a545af61626f0f6359fdb4e1f
  • eafa2728ee0cb68085444536bf560eea47c6b7f6

Source IP

  • 184.154.136.86
  • 45.67.57.167
  • 193.124.16.34

URL

  • hxxps://recreationbike.info/yjviyicynwupyyolyk
  • hxxps://recreationbike.info/mlzqrzuopsbrszizfstnhztrztlxvazpriyzezca
  • hxxps://recreationbike.info/tzlwxzwwqivsszyqenqfbpyxjtdlwfzuzpvmlpzeba
  • hxxps://recreationbike.info/edczvdtvbzequbuzkchpdzsavzegqzuwuzdhgezewzn
  • hxxps://adminassistance.info/dyveunetbaioaertfahy

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated and patched against all known security vulnerabilities.
  • Implement real-time monitoring of ATMs to ensure that suspicious activity or processes involving ATM software is identified.
  • Keep ATM software patched and up-to-date.
  • Work with the ATM vendors to address overall ATM security.