← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New Cobalt Group campaign targeting eastern Europe and Russian institutions
WHITE Cobalt group AlienVault 2018-08-30 Modified: 2018-08-30
38
IOCs
MEDIUM VOLUME
Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT banking system which costs millions in damages to the impacted entities. On August 13, ASERT observed the financially-motivated hacking group actively pushing a new campaign. We believe the targeted institutions for the ongoing campaign are located in eastern Europe and Russia. The active campaigns utilize spear phishing messages to gain entry. The emails appear to come from a financial vendor or partner, increasing the likelihood of infection. The group uses tools that can bypass Window’s defenses.
malwarecobalt groupTEMP.Metastrikephishing
Indicators of Compromise (38)
All URL domain hostname FileHash-MD5
TYPEINDICATORDESCRIPTIONCREATED
URL https://sepa-cloud.com/file/Documents/document_78219.jpg 2018-08-30
URL http://sepa-cloud.com/file/Documents/document_78219.jpg 2018-08-30
URL http://sepa-cloud.com/file/documents/document_78219.scr 2018-08-30
URL https://sepa-cloud.com/file/Documents/document_78219.jpg.exe 2018-08-30
URL https://sepa-cloud.com/files/Documents/document_78219.jpg 2018-08-30
URL http://sepacloud.eu/file/Documents/document_78219.jpg 2018-08-30
URL https://sepacloud.eu/file/Documents/document_78219.jpg 2018-08-30
URL https://sepacloud.eu/file/documents/document_78219.jpg 2018-08-30
URL https://sepacloud.eu/file/documents/document_78219.scr 2018-08-30
URL https://sepacloud.eu/files/Documents/document_78219.jpg 2018-08-30
URL http://download.outlook-368.com/Document00591674.doc 2018-08-30
URL http://download.outlook-368.com/document00591674.doc 2018-08-30
domain apstore.info 2018-08-30
domain compass.plus 2018-08-30
domain eucentalbank.com 2018-08-30
domain europecentalbank.com 2018-08-30
domain help-desc-me.com 2018-08-30
domain ibfseed.com 2018-08-30
domain inter-kassa.com 2018-08-30
domain rietumu.me 2018-08-30
domain sepa-cloud.com 2018-08-30
domain sepacloud.eu 2018-08-30
domain unibank.credit 2018-08-30
hostname download.outlook-368.com 2018-08-30
hostname ww3.cloudfront.org.kz 2018-08-30
FileHash-MD5 10d044bc5b8ae607501304e61b2efecb 2018-08-30
FileHash-MD5 1999a718fb9bcf3c5b3e41bf88be9067 2018-08-30
FileHash-MD5 3452903fc857fb98f4339d7ce1884099 2018-08-30
FileHash-MD5 616199072a11d95373b3c38626ad4c93 2018-08-30
FileHash-MD5 61e3207a3ea674c2ae012f44f2f5618b 2018-08-30
FileHash-MD5 9270ac1e013a3b33c44666a66795d0c0 2018-08-30
FileHash-MD5 9a87da405a53eaf32f8a24d3abb085af 2018-08-30
FileHash-MD5 a3b705ce3d677361a7a9b2b0bdf04a04 2018-08-30
FileHash-MD5 d017bf9f6039445bfefd95a853b2e4c4 2018-08-30
FileHash-MD5 d3ac921038773c9b59fa6b229baa6469 2018-08-30
FileHash-MD5 e368365bece9fb5b0bc8de1209bab694 2018-08-30
FileHash-MD5 eb93c912e4d3ecf52615b198c44771f4 2018-08-30
FileHash-MD5 f3bb3e2c03f3976c107de88b43a22655 2018-08-30
References (1)
↗ https://asert.arbornetworks.com/double-the-infection-double-the-fun/