← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
WHITE Cobalt group AlienVault 2018-10-25 Modified: 2018-10-25
80
IOCs
HIGH VOLUME
Nowadays, it’s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).
Indicators of Compromise (80)
All domain FileHash-SHA256 URL hostname YARA
TYPEINDICATORDESCRIPTIONCREATED
domain alotile.biz 2018-10-25
domain bank-net.biz 2018-10-25
domain bnet1.biz 2018-10-25
domain cloud-direct.biz 2018-10-25
domain contents.bz 2018-10-25
domain e-dropbox.biz 2018-10-25
domain firstcloud.biz 2018-10-25
domain freecloud.biz 2018-10-25
domain fundsxe.com 2018-10-25
domain judgebin.bz 2018-10-25
domain ms-server838.com 2018-10-25
domain msoffice-365.com 2018-10-25
domain my-documents.biz 2018-10-25
domain mycontent.biz 2018-10-25
domain n-document.biz 2018-10-25
domain outlook-368.com 2018-10-25
domain safe-cloud.biz 2018-10-25
domain safesecurefiles.com 2018-10-25
domain total-cloud.biz 2018-10-25
domain total-share.biz 2018-10-25
domain total7.biz 2018-10-25
domain transef.biz 2018-10-25
domain usasecurefiles.com 2018-10-25
domain via24.biz 2018-10-25
domain web-share.biz 2018-10-25
domain webclient1.biz 2018-10-25
domain xstorage.biz 2018-10-25
domain yourdocument.biz 2018-10-25
domain zstorage.biz 2018-10-25
FileHash-SHA256 020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee 2018-10-25
FileHash-SHA256 07a3355f81ff69a197c792847d0783bfc336181d66d3a36e6b548d0dbd9f5a9a 2018-10-25
FileHash-SHA256 07f60611836c0a679c0fb2e25f5caeb4d29cd970919d47f715666b80be46f45c 2018-10-25
FileHash-SHA256 12ecb6b3780cd19ea84f6e84e816a701e8231441bf90145481baa0648139e001 2018-10-25
FileHash-SHA256 161ba501b4ea6f7c2c8d224e55e566fef95064e1ed059d8287bc07e790f740e8 2018-10-25
FileHash-SHA256 187e0d911cd0393caad1364ded1c394257cd149898b31f9718c7c6319af79818 2018-10-25
FileHash-SHA256 195580b78e144f66ac1f9be2b927d7828ed1dc3974dc1897e0ed59a96ac8f4e1 2018-10-25
FileHash-SHA256 19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570 2018-10-25
FileHash-SHA256 1c1a6bb0937c454eb397495eea034e00d1f7cf4e77481a04439afbc5b3503396 2018-10-25
FileHash-SHA256 1d0aae6cff1f7a772fac67b74a39904b8b9da46484b4ae8b621a6566f7761d16 2018-10-25
FileHash-SHA256 1fd9ba8eb97bf03cd4d3cbaac867595c920f1f36ebfbe9c1fc76558ea5e0ece5 2018-10-25
FileHash-SHA256 2f74c8b55292d59ab66960f21a4413d4d54f8b7500bb385954e7ffe68d775443 2018-10-25
FileHash-SHA256 3a7525ffa571775aca45551ebd2c192d9b8ed45db1a61bdd8398d91db885d7a2 2018-10-25
FileHash-SHA256 444c63bb794abe3d2b524e0cb2c8dcc174279b23b1bce949a7125df9fab25c1c 2018-10-25
FileHash-SHA256 477c432382c97648767ee45c264f0f2aaf8d3d9f9ed547d8418db12b7c140760 2018-10-25
FileHash-SHA256 57f65ecb239833e5a4b2441e3a2daf3513356d45e1d5c311baeb31f4d503703e 2018-10-25
FileHash-SHA256 5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2 2018-10-25
FileHash-SHA256 62a278119d732e4c839ee074553f087588a9040be027bdf9e617413c6fd2e9af 2018-10-25
FileHash-SHA256 641d692386dab5ca60f4c6b1da0edecc5c3473c9a7d187dad6098786404780a3 2018-10-25
FileHash-SHA256 66bd5e492531adf675897de5de8aee427b896c9b2c406daff006ce6a4e8aa810 2018-10-25
FileHash-SHA256 7629dfcc9345578626a250afb67027955c6f78dd80b771c2968c5be0d4b11c59 2018-10-25
FileHash-SHA256 7b9c183dc40c8d765e98024f8fb6565c69dee2bb97957c5ba754a23d2698bf7a 2018-10-25
FileHash-SHA256 8004601c08983420408d2784e2a4aa79de426d41a09726a884edcb21f83ee7f8 2018-10-25
FileHash-SHA256 852f11e5131d3dab9812fd8ce3cd94c1333904f38713ff959f980a168ef0d4ce 2018-10-25
FileHash-SHA256 94c9fa812cebb733eda3a4eed33a0a49b60c207bb0f9153c0d08724c8b30f578 2018-10-25
FileHash-SHA256 988d430ce0e9f19634cf7955eac6eb03e3b7774b788010c2a9742b38016d1ebf 2018-10-25
FileHash-SHA256 9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23 2018-10-25
FileHash-SHA256 a0111977c79f4eb30511f22055b54e4e973c0501240f3ba462691b1b4999d561 2018-10-25
FileHash-SHA256 a5f2ad08b5afdbd5317b51d0d2dd8f781903522844c786a11a0957a81abfd29e 2018-10-25
FileHash-SHA256 a6f941fcec01fb006fc51df96396aeeb826cdf3864756669e19cb145fe41692f 2018-10-25
FileHash-SHA256 b92707ebfaa15225064ff3a1a7d279b3dde1e70200e37d0074e9acc160cb16a7 2018-10-25
FileHash-SHA256 cb5644bd670dcd9caf5185ebe396996e514ed1d93982157186611135aea79bd3 2018-10-25
FileHash-SHA256 d5328e519daadaf1520619da1f24f6d81d23c84222640058bbb366752be93537 2018-10-25
FileHash-SHA256 d8a2384a51cd59f6390e6a4fcb04b51358cdbd5e04cae5be23daae548c306a73 2018-10-25
FileHash-SHA256 df18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69 2018-10-25
FileHash-SHA256 e0f1dbc10088b68f772ee73b0785c3d67b8e5f147b687911613d163ad5ebda6d 2018-10-25
FileHash-SHA256 e6a17617eaa98c49bfb2c9d3d090ffea69bb0c1864c43861bdf8d027339ea847 2018-10-25
FileHash-SHA256 ebf309ecd6c7a0911e1252d9e90fd302bfbd3e1d2679772025bdb9cc38bca141 2018-10-25
URL http://www.mky.com/Proof-of-payment-19.09.2018.doc 2018-10-25
URL http://www.pedidoslalacteo.com.ar/Proof-of-payment-19.09.2018.doc 2018-10-25
URL https://alotile.biz/Document092018.doc 2018-10-25
URL https://cloud-direct.biz/doc0047581678.pdf 2018-10-25
URL https://document.cdn-one.biz/doc000512.pdf 2018-10-25
URL https://e-dropbox.biz/doc058915654e.pdf 2018-10-25
URL https://mail.halcyonih.com/uploads/doc004718538.pdf 2018-10-25
URL https://s3.sovereigncars.org.uk/inv005189.pdf 2018-10-25
URL https://safesecurefiles.com/doc041791.pdf 2018-10-25
URL https://transef.biz/Doc102018.doc 2018-10-25
hostname document.cdn-one.biz 2018-10-25
YARA 73bca8de93fb7a6d9d6289d76632407a436e0f48 2018-10-25
YARA 1c16c4ac441eb27298511b3b57d6e0a291177068 2018-10-25
References (1)
↗ https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/