Cobalt Group

Threat Actor updated 5 months ago (2024-11-29T14:42:51.896Z)

Download STIX

Preview STIX

The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus operandi includes bypassing User Account Control (UAC) and gaining unauthorized access to targeted networks, as documented in November last year when they exploited CVE-2017-11882. Their activities often overlap with other groups like FIN6 and Evilnum, making it challenging to identify their exact identity. The Cobalt Group, along with FIN6, is known to use Golden Chickens, a malware-as-a-service (MaaS) offering. This MaaS, also referred to as More_eggs, has been dubbed the "cyber weapon of choice" by these Russia-based cyber gangs. eSentire, a cybersecurity firm, identified the second developer of Golden Chickens as a Romanian man known as VENOM SPIDER. The group has also used Storm-0324 for unauthorized corporate network access, primarily to distribute JSSLoader before handing over the keys to the notorious financial and ransomware actor FIN7. In 2017 and 2018, the Cobalt Group utilized badbullzvenoms' (aka: Lucky) VenomKit to deploy Cobalt Strike in attacks on banks. eSentire noted that this malware suite was later leveraged by FIN6 in 2019, the same year when the suite included the PureLocker ransomware plugin. The second developer of the Golden Chickens malware, which has been used extensively by the Cobalt Group, was unmasked by eSentire to be a Romanian named Jack, also known as Lucky and badbullzvenom.

Description last updated: 2024-05-04T17:53:07.169Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Cobalt Strike

Maas

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The EVILNUM Malware is associated with Cobalt Group. Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even ho	Unspecified	3
The Golden Chickens Malware is associated with Cobalt Group. Golden Chickens, also known as More_eggs, is a stealthy and capable malware suite primarily used by financially-motivated cybercrime groups such as the Cobalt Group and FIN6. The malware was initially discovered in 2018 and has been primarily targeting organizations in Southeast Asia, stealing sensi	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN6 Threat Actor is associated with Cobalt Group. FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor group associated with significant cyber-attacks. The group initially gained notoriety for successfully stealing credit cards through point of sale (POS) systems in retail and hospitality establishments, notably cau	Unspecified	2

Source Document References

Information about the Cobalt Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	11 days ago	Golden Chickens Unveils TerraStealerV2 and TerraLogger: New Credential Theft Tools Identified by Insikt Group
CERT-EU	a year ago	Cyber threat landscape controlled by leading threat operations
MITRE	a year ago	Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions
MITRE	a year ago	First Activities of Cobalt Group in 2018: Spear-phishing Russian Banks
CERT-EU	a year ago	Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU	2 years ago	Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher
CERT-EU	2 years ago	High-severity Chrome vulnerabilities addressed
CERT-EU	2 years ago	Minnesota VA medical center plagued with IT security gaps
CERT-EU	2 years ago	Golden Chickens malware developer unmasked
MITRE	2 years ago	Cobalt Group 2.0
MITRE	2 years ago	Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions \| Proofpoint US
Quick Heal Technologies Ltd.	2 years ago	UAC Bypass Using CMSTP
CERT-EU	2 years ago	Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU	2 years ago	Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
CERT-EU	2 years ago	Αποκαλύφθηκε ο προμηθευτής malware των πιο επικίνδυνων Ρώσων κυβερνο-εγκληματιών
CERT-EU	2 years ago	Researchers identify second developer behind Golden Chickens MaaS