Cobalt Group Description
The Cobalt Group is a well-known group of hackers that have been operating in the cybercrime scene for a while. They do not appear to be acting on behalf of any government. Instead, their attacks appear to be financially motivated. Most of their attacks are carried out in Eastern Europe, Central and Southeast Asia. The Cobalt Group likes to play big – most of their targets tend to be high-profile institutions such as banks or other organizations operating in the financial industry. The hacking group is also known to have targeted ATMs (Automated Teller Machines) and online payment processors. The Cobalt Group prefers to carry out stealthy attacks, even if that means it would take them longer to complete an operation. They would often infiltrate a targeted network over a long period, as this makes it less likely for their unsafe activity to be spotted.
Operates in a Fileless Mode
The trademark hacking tool of the Cobalt Group is the Cobalt Strike malware. The hacking group’s name is derived from this threat. However, we should note that the Cobalt Strike threat is sold publicly and has not been created by the Cobalt Group, but they are known for having launched impressive hacking campaigns using this tool. What makes the Cobalt Strike particularly threatening is that it can operate very silently by planting its modules in the RAM (Random Access Memory) of the compromised host. This is known as operating in a fileless mode. By doing this, the Cobalt Strike is also much more likely to remain under the radar of anti-virus applications, which may be present on the infiltrated system.
The Cobalt Strike has a significant list of capabilities. This threat can:
- Let the attackers gain remote access to the compromised machine.
- Scan the network in order to detect other systems that may be vulnerable.
- Collect keystrokes.
- Bypass Windows’ UAC (User Account Control).
- Plant the Mimikatz infostealer.
The Cobalt Group also is known to use other tools such as TeamViewer, the PsExec utility, SoftPerfect Network Scanner, Windows’ Remote Desktop Protocol (RDP) and Plink.
The preferred propagation method of the Cobalt Group is spear-phishing emails. This technique allows them to tailor specific messages and use social engineering tricks to convince the user that the email is legitimate, and the potential attachment it contains is as harmless as they come. Apart from using corrupted attachments to propagate their hacking tools, the Cobalt Group is known to ask their victim to download a file containing a malicious payload, which is hosted on a third-party platform.
As we mentioned, the Cobalt Group prefers to take things slowly and make sure they infiltrate systems and networks, which are very difficult to reach. Usually, the attack is carried out by infiltrating one system within a network and then seeking ways to compromise more hosts. Malware experts have determined that a Cobalt Group campaign usually takes around two weeks from its starting point to achieving their goal.
Do You Suspect Your PC May Be Infected with Cobalt Group & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Cobalt Group as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.