![project m cobalt legacy download project m cobalt legacy download](https://i.ytimg.com/vi/BjFIXLYFFYM/sddefault.jpg)
- #PROJECT M COBALT LEGACY DOWNLOAD CODE#
- #PROJECT M COBALT LEGACY DOWNLOAD DOWNLOAD#
- #PROJECT M COBALT LEGACY DOWNLOAD WINDOWS#
The DLL file will drop a Windows Script Component (SCT) file embedded with JScript in the %AppData% folder using a random name and append it with a. The PowerShell command is for downloading a DLL file from hxxp://visafraudmonitoringcomtdll, saving it in the affected machine, then executing it via the command, odbcconf.exe /S /A. To further illustrate this infection chain: after clicking “Enable Content”, it will run the macro codes that will check if the machine is 64-bit, decrypt and execute a PowerShell command, remove the picture in the document, and write “Call me” in it. The malicious RTF file asking would-be victims to “Enable Content” (left) and what happens after clicking it, when the macro codes are run (right) It will ultimately try to connect to their command and control (C&C) server, 5135237216443, which we found located in France.įigure 3. During analysis, we received a PowerShell command that downloads Cobalt Strike from hxxps://5135237216RLxF. This JScript will then connect to a remote server and wait for backdoor commands.
#PROJECT M COBALT LEGACY DOWNLOAD DOWNLOAD#
The DLL will drop and execute a malicious JScript using regsvr32.exe, another command-line utility, to download another JScript and execute it using the same regsvr32.exe. The RTF file contains macro codes that will execute a PowerShell command to retrieve a dynamic-link library (DLL) file before executing it using odbcconf.exe, a command-line utility related to Microsoft Data Access Components. Infection chain of Cobalt’s latest spear phishing campaign using malicious macro Here’s a visualization of this infection chain:įigure 2. Spam emails containing RTF documents embedded with malicious macros We also saw other threat actors using the same security flaw of late, like the cyberespionage group ChessMaster.īelow are snapshots of some of the spam emails they sent to their targets:įigure 1. The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled.
#PROJECT M COBALT LEGACY DOWNLOAD CODE#
The second, which ran from September 20 to 21, used an exploit for CVE-2017-8759 ( patched last September), a code injection/remote code execution vulnerability in Microsoft’s. The first spam run on August 31 used a Rich Text Format (RTF) document laden with malicious macros. While they previously posed as sales and billing departments of legitimate companies, they’re now masquerading as the customers of their targets (banks), a state arbitration court, and ironically, an anti-fraud and online security company notifying the would-be victim that his “internet resource” has been blocked. The modus commonly seen in attack chains that target end users (i.e., bank customers) is now leveled against the banks themselves. The hacking group's first spam run also targeted a Slovenian bank, while the second run targeted financial organizations in Azerbaijan, Belarus, and Spain.Īpart from using a different vulnerability ( CVE-2017-8759), what’s unique in their latest spear phishing campaigns, compared to their previous spam runs and even other related cybercriminal campaigns, is an apparent role change. This resembles the tactics of another cybercriminal group, Lurk. If successful, they go on to attack financial institutions outside the country. Unlike other groups that avoid Russia (or Russian-speaking countries) to elude law enforcement, Cobalt’s attack patterns suggest that the group uses Russia as a testing ground where they try their latest malware and techniques on Russian banks.
![project m cobalt legacy download project m cobalt legacy download](https://www.gogofreegames.com/wp-content/uploads/2020/04/Mortal-Kombat-Project-Legacy-664x376.jpg)
The hacking group misused Cobalt Strike, for instance, to perpetrate ATM cyber heists and target financial institutions across Europe, and interestingly, Russia. In their recent campaigns, Cobalt used two different infection chains, with social engineering hooks that were designed to invoke a sense of urgency in its recipients-the bank’s employees.Ĭobalt was named after Cobalt Strike, a multifunctional penetration testing tool similar to Metasploit. The culprit appears to be the Cobalt hacking group, based on the techniques used. The waves of backdoor-laden spam emails we observed during June and July that targeted Russian-speaking businesses were part of bigger campaigns.