Cobalt Hacking Group: Tactics and Tools Update

The PT Expert Security Center (PT ESC) has been monitoring the Cobalt group since 2016. Currently the group targets financial organizations around the world. Two years ago, for example, their attacks caused over $14 million in damage. Over the last four years, we have released several reports on attacks linked to the group.

Over the last year, the group has not only modified its flagship tools CobInt and COM-DLL-Dropper in conjunction with the more_eggs JavaScript backdoor, but also started using new methods to deliver malware and bypass security in the initial stages of the kill chain. As a group whose activities have long been of interest to security researchers all over the world, the attackers are highly motivated to stay one step ahead.

In 2019, the group conducted an average of three attacks per month. In our new article, we will analyze new tactics and tools hackers use. The full version of the report is available here.

1. European Central Bank phishing website

In late August 2019, we detected a CobInt attack that presumably targeted European financial institutions. We do not know whether the attack was successful. CobInt was dropped by a custom NSIS installer. We detected three versions of the dropper: for Chrome, Firefox, and Opera. Each dropper contained the same CobInt version and a browser-specific installer. Once launched, the dropper saved CobInt to the %TEMP% folder and then ran CobInt and the installer. Malware analysis proved that the droppers were distributed from the phishing website ecb-european[.]eu.

Figure 3. Phishing website main page Phishing website main page

The site was a copy of the European Central Bank website, except for a pop-up window that asked visitors to update the browser.

Figure 4. Pop-up window on the fake ECB websitePop-up window on the fake ECB website

Visitors who fell for the ruse downloaded the dropper to their computer. The page source code contained a link to the script that displayed the pop-up window.

2. Malicious VHD

In late December 2019, we detected another CobInt loader used by Cobalt. The loader container was unusual. It was a virtual hard disk (VHD), presumably distributed by email.

The VHD format was originally developed by Connectix for their Virtual PC product. Microsoft acquired the product in 2003 and renamed it Microsoft Virtual PC. In 2005, the format became available to the public. Microsoft started using the VHD format in Hyper-V, the hypervisor-based virtualization technology. A VHD file may contain anything found on a physical hard drive, such as disk partitions and a file system with folders and files.

In September 2019, the CERT/CC Blog published an article about the danger of VHD files and their possible use as an attack vector. The researcher Will Dorman showed that neither antivirus software nor the Mark of the Web alerts users about the potential harm of the contents of a VHD file downloaded from the Internet. Dorman created a malicious VHD container with EICAR inside and uploaded the result to VirusTotal. The malware was not detected by any antivirus engines. It is possible that Cobalt used the findings of this research for their own purposes. Their VHD file was also not detected by any antivirus software when it first appeared on VirusTotal. Half a year later, the file was detected by just one antivirus engine, which is still very low.

Figure 9. Cobalt VHD detection level at the moment of attackCobalt VHD detection level at the moment of attack

The VHD contains two CobInt files. One file has two invalid Google certificates appended to it in order to reduce the odds of detection.

3. BIFF macro

In March 2020, we detected an XLS document from Cobalt that downloaded and ran the COM-DLL-Dropper. The document contained the rather old Excel 4.0 macro format and was almost invisible to antivirus software (1 positive verdict out of 60 on VirusTotal).

Figure 27. Number of antivirus verdicts on VirusTotal during first upload of the file with Excel 4.0 macroNumber of antivirus verdicts on VirusTotal during first upload of the file with Excel 4.0 macro

This macro standard is 20 years old. The standard is peculiar in that the macro is stored in worksheet cells (not stored in a VBA project), and the worksheet itself can be hidden in Excel. The macro therefore will not be in a VBA stream, but in a BIFF (Binary Interchange File Format) record.

If we open the document in Excel, we see one worksheet and no VBA project macros. However, Excel all the same detects the macro and blocks it from running.

Figure 29. Structure of malicious document worksheets

Structure of malicious document worksheets

When the initial document is opened in the Name Manager, one of the formulas runs automatically:

Figure 30. Macro formula that runs when the document is openedMacro formula that runs when the document is opened

The initial formula launches a long chain of commands, such as CONCATENATE, RUN, CHAR, and CALL, which will lead to the loading and launch of COM-DLL-Dropper. The commands are scattered across the Excel cells, complicating analysis.

4. COM-DLL-Dropper analysis

In early April 2020, we detected a new version of COM-DLL-Dropper. Its functions are different from everything we had seen before. However, the more_eggs JavaScript backdoor payload remained the same.

Cobalt first started using COM-DLL-Dropper in the summer of 2017 and is still using it to deliver more_eggs, which is contained in the dropper in encrypted and archived form.

A few facts about the dropper:

  • It is written completely in PureBasic.
  • It uses numerous anti-analysis techniques.
  • It contains an encrypted and archived JavaScript loader, JavaScript backdoor, and a legitimate utility for modifying the command line to launch more_eggs.
  • It has a built-in obfuscator for the hard-coded JavaScript backdoor and JavaScript loader


Cobalt keeps attacking financial organizations around the world, refining its TTPs, and inventing ever-more sophisticated ways to bypass defenses. Due to quarantine-related measures, many employees of financial companies are now working remotely, outside the protection offered by corporate security solutions. Moreover, many threat actors are using COVID-19 as a lure in their attacks, as the Higaisa group has done. It is possible that Cobalt, too, will try to weaponize such concern.

The full version of the report is available here.

Authors: Denis Kuvshinov, Segey Tarasov, Daniil Koloskov, PT Expert Security Center

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.