A cybercrime group believed to be responsible for around one billion euros of thefts has struck again, despite the arrest of the group's leader in March.
The Cobalt hacking group is believed to be behind a new attack against banks in Russia and CIS countries, which was detected on 23rd May.
Cybersecurity company Group-IB said that it has analysed the latest attacks, which mainly used spear-phishing emails disguised as communications from a well-known anti-virus vendor, and believes Cobalt is working in collaboration with the Anunak (Carbanak) groups.
Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over one billion euros for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to 10 million euros per heist.
The alleged leader of the group was arrested Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies. The arrest was reported on 26th March.
The latest attack was launched with a wave of spear-phishing emails sent to banks, which claimed to be a legal complaint from anti-virus vendor Kaspersky Lab. The fake email included a link to download and read a complaint letter, which actually launched the malware to infect the bank employee's computer.
Group-IB said that although Russian and CIS banks appear to be the main target, the email was written in English, suggesting that foreign banks may also have been targeted. It was not disclosed if any of the target organisations suffered losses from the latest attacks.
The security company said that the attack used a Trojan which is unique to the Cobalt group, and also the high quality of the spear-phishing email and fake website were typical of the group. These and other signs again pointed to the possibility that the remaining members of the Cobalt group were conducting a joint operation with other criminal groups, in particular, Anunak.
Group-IB warned that Cobalt clearly poses a risk to financial institutions, and also to other companies in the finance system supply chain, including systems integrators, payment terminal and electronic wallet providers, who have all been targeted in the past by the group.
"Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide," comments Tarek Kuzbari, Group-IB managing director. "We have technical proof of collaboration between Cobalt and Carbanak. In order to enable business and market regulators to take preventative measures against these criminals, we provide our customers indicators to protect them from phishing, identify the infrastructure and methods still used by these criminals."