Cobalt Group
Aliases: GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.
Open interactive actor investigation
ATT&CK techniques
Spearphishing AttachmentT1105
Ingress Tool TransferT1027.010
Command ObfuscationT1053.005
Scheduled TaskT1218.008
OdbcconfT1195.002
Compromise Software Supply ChainT1518.001
Security Software DiscoveryT1559.002
Dynamic Data ExchangeT1204.002
Malicious FileT1068
Exploitation for Privilege EscalationT1218.003
CMSTPT1218.010
Regsvr32T1055
Process InjectionT1059.001
PowerShellT1588.002
ToolT1021.001
Remote Desktop ProtocolT1059.005
Visual BasicT1203
Exploitation for Client ExecutionT1070.004
File DeletionT1548.002
Bypass User Account ControlT1220
XSL Script ProcessingT1071.004
DNST1059.007
JavaScriptT1566.002
Spearphishing LinkT1204.001
Malicious LinkT1059.003
Windows Command ShellT1071.001
Web ProtocolsT1547.001
Registry Run Keys / Startup FolderT1572
Protocol TunnelingT1573.002
Asymmetric CryptographyT1543.003
Windows ServiceT1219
Remote Access SoftwareT1046
Network Service DiscoveryT1037.001
Logon Script (Windows)T1059
Command and Scripting Interpreter