Hunting adversaries begins with understanding their behavior through data. In this blog post, we’ll use the Diamond Model as a vehicle to create an actor profile for the criminal group Cobalt Gang. We’ll start by reviewing what is known about the adversary, orienting ourselves to their typical operations, and extracting data from their identified capabilities and infrastructure. We’ll then analyze that data to identify potentially exploitable tactics and strategic considerations for addressing the adversary.
In summary, we were able to identify opportunities for proactively hunting for Cobalt Gang infrastructure based on consistent registrar and ISP usage, which helped us identify four new potentially related domains. We also identified several relevant strategic considerations:
- The average time between command and control (C2) domain registration to certificate creation is under five hours.
- Within five days on average, Cobalt Gang compiles malware leveraging the C2 infrastructure they’ve created.
- An uptick in identified activity occurred in October 2019 with apparent targeting in Southeast Asia.
Building the Actor Profile
First, we start by constructing a preliminary profile and diamond model for the threat actor from open source intelligence (OSINT). The goal here is to gain familiarity with the actor. Below is a simple diamond model put together from OSINT sources and from this blog’s research.
Reporting indicates that Cobalt Gang traditionally targets the financial sector and their suppliers with a notable focus on Eastern Europe and Southeast Asia. The Malpedia CobInt/COOLPANTS report indicates that the group is expanding their toolset by developing their own malware. Kayslice malware is often seen in conjunction with CobInt malware. Focusing on these malware samples, we’ll further our ability to go from reactively to proactively hunting for this adversary.
Figure 1: Diamond Model
Please note, the above information is based on our insight into Cobalt Gang; however, if you have additional intel, please consider adding details to our Cobalt Gang Threat in ThreatConnect or creating a new Incident and associating it to the Threat.
In general, this group is known for using phishing emails to deliver malicious documents that download and execute malware; sometimes in multiple stages. Kayslice’s primary responsibility is to reach out and download the next stage, CobInt. These tools are a starting point for data extraction.
Capabilities Node – Data Extraction and Analysis
Next, we focus on the capabilities node of the diamond model and focus on the tools attributed to Cobalt Gang. In this case, we’ll be focusing on Kayslice and CobInt. After we identify and collect as many samples as possible using both YARA rules and pivoting in VirusTotal Graph, we then identify the command and control domain from each using static and dynamic analysis. See the IOC section at the bottom for the list of samples inspected. Notably, Kayslice executes well in a sandbox while CobInt may need some additional work depending on the sandbox’s configuration as it’s a dll versus an executable and thus needs to be executed differently. Following malware analysis, these domains were identified (see Appendix IOC section).
It’s worth noting that while Kayslice and CobInt are the focus here, it does not mean something similar could not be done for other objects. Malicious documents or phishing pages work as well, it all depends on the capabilities employed by the actor you’re focusing on.
Capabilities Node – File Attributes
Portable Executable (PE) file attributes provide a rich source of information that can potentially identify file characteristics specifically relevant to the actor behind the file. It’s important to consider when extracting PE attributes, notably timestamps, that data can be manipulated. In reviewing CobInt and Kayslice samples (initial list pulled in February 2020), two things stand out when extracting the PE compile timestamp:
- CobInt appears to be time-stomped as they all read 2019-01-15 17:38:40. This is potentially a unique attribute that we can use to hunt for additional CobInt files.
- The bulk of the Kayslice samples were compiled in the last quarter of 2019.
See table 1 for the extracted data.
|Malware Family||SHA256||Compile Time|
Table 1: Compile Timestamps
Correlate Infrastructure Node Data to Distill Information
Our next step is to inspect characteristics of the identified domains to draw some insights as to how Cobalt Gang registers domains, sets up their infrastructure, and against whom they deploy malware leveraging that infrastructure. In the course of our research, we used data from sources like DomainTools, Cisco Umbrella, and crt.sh, to better analyze and enrich the identified infrastructure.
For purposes of this research, we’ll restrict the data to just the domains registered from 2019 to now. Let’s see what can be extrapolated from the infrastructure side of the diamond model.
Infrastructure Node – WHOIS Review
Focusing on domain enrichment, there are three key areas that we’ll focus on to better understand how Cobalt Gang is leveraging their infrastructure — WHOIS, hosting, and certificates. Starting with the WHOIS information, you might notice that the identified domains employ privacy protection and don’t have an email address or other singular, pivotable characteristics. For example, take the expiredmaggio[.]info domain below:
Figure 2: Whois info in ThreatConnect
While this singular WHOIS record may not reveal any notable insight on Cobalt Gang’s registration tactics, reviewing the characteristics for all the identified domains illuminates some preferences. Using DomainTools Iris, we pulled out registration and hosting information for the identified domains and created charts to illustrate the findings.
The registrar count below shows the number of times each registrar was used to procure a domain. While several different registrars were used, Cobalt Gang used reg[.]ru for 11 out of the 15 domains registered from 2019 to now. The registrar is typically indicative of what name server will be used, reg[.]ru in this case.
Figure 3: Domain Registrars
In terms of top level domain (TLD) usage, Cobalt Gang demonstrated a clear preference for [.]info domains. Price and the availability of the underlying domains most likely are the main motivators behind using [.]info TLDs.
Figure 4: TLD Used
Finally, in reviewing the ISP information for the IPs where the domains are hosted, we see that 8 of the 15 domains were hosted at a Beget LLC IP.
Figure 5: Hosting ISPs
Individually, none of these preferences are unique enough to help us hunt for or proactively address Cobalt Gang. However, when their powers combine, the strength of all of these data points is realized.
Figure 6: Powers Combined
In 2019, this actor favored:
- Beget LLC – IP Hosting
- .info – TLD
- reg[.]ru – Registrar
Figure 1 reflects these data points in the diamond model.
Infrastructure Node – Certificate Review
Following the WHOIS review, we inspected the available certificate information for the domains using crt.sh. For domains that had more than one certificate created, we reviewed those created earliest. Our hope is to identify any potentially unique certificate strings, certificate authority usage, or relevant timing with respect to domain creation. See Table 2 for the data points of interest.
|Domain||Issuer Common Name||Cert Registration Date|
|centos-update[.]info||GlobalSign RSA DV SSL CA 2018||2019-08-30 13:25:44+00:00|
|0345432456[.]info||Let’s Encrypt Authority X3||2019-10-02 10:51:21+00:00|
|paysimcard[.]info||Let’s Encrypt Authority X3||2019-10-02 10:54:24+00:00|
|hunvenbinusa[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-05 21:49:04+00:00|
|5571875[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-05 22:04:02+00:00|
|segwitfeesavings[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-15 21:48:18+00:00|
|fraud-bank[.]host||Let’s Encrypt Authority X3||2019-10-16 07:30:49+00:00|
|adminassistance[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-21 20:07:44+00:00|
|bestguesspass[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-21 20:18:11+00:00|
|boomedon[.]info||Let’s Encrypt Authority X3||2019-11-19 08:37:39+00:00|
|recreationbike[.]info||Let’s Encrypt Authority X3||2019-11-19 08:47:49+00:00|
|cari-properti[.]info||Let’s Encrypt Authority X3||2019-11-20 18:51:25+00:00|
|telekom-support[.]info||GlobalSign RSA DV SSL CA 2018||2019-12-17 20:31:10+00:00|
|expiredmaggio[.]info||GlobalSign RSA DV SSL CA 2018||2020-01-22 19:25:02+00:00|
Table 2: Certificate Information
Reviewing the data shows two certificate authorities — Let’s Encrypt and GlobalSign — being used with no clear favorite between the two; however, these authorities are widely used and not singularly sufficient to proactively hunt for Cobalt Gang.
When we review the certificate’s temporal information in conjunction with their domains’ creation timestamps, we see a notable trend. All of Cobalt Gang’s domains that we reviewed had an SSL certificate created within thirteen hours.
Figure 7: Time from Domain Registration to Certificate Creation
The closeness in time between domain registration and certificate creation can be used to help hunt the actor, which will be covered in a later section.
Victim Node – Deducing Primary Target Region
Cisco’s Umbrella can provide hints on the geographical areas the actor is targeting through DNS telemetry. Cisco’s OpenDNS sees 140 billion DNS requests a day. This level of visibility provides insights into regions of the world where DNS activity is being seen. With this in mind, still remember to approach this technique with caution as it’s from the view of a single DNS provider — the machine could be accessing the domain for other reasons, such as the operator setting it up or malware running in a sandbox connected to the Internet through a proxy.
Umbrella breaks down the DNS request into percentages (Figure 8).
Figure 8: DNS Telemetry from Cisco Umbrella
Start with a simple approach: take the highest percentage for each domain and use that country as the primary target region. The domain securegrandix[.]com is tied at 33.33% between Russia and Malaysia so one entry for each was added.
|Most DNS Lookups to this Country||Bulk DNS Queries Resolved Here For||Domain Count|
|Malaysia||0345432456[.]info, 5571875[.]info, cari-properti[.]info, centos-update[.]info, expiredmaggio[.]info, hunvenbinusa[.]info, paysimcard[.]info, securegrandix[.]com, segwitfeesavings[.]info, telekom-support[.]info||10|
Table 3: Primary DNS Resolution for each Domain by Country
Figure 9 shows this data mapped out.
Figure 9: Countries with the highest DNS requests per domain
Notice that most of the countries highlighted with more than one hit are located in Southeast Asia; which, when reviewing our diamond model, is consistent with previously identified Cobalt Gang activity.
Interlinking the Diamond Model
The corners of the diamond model all combine to help form an overall picture. Overlaying data points from the infrastructure and capabilities is one way to gain visibility into the behavior of an actor. For example, take the timestamps gathered from the infrastructure analysis and the capabilities analysis and superimpose them together, as in Figure 10. Viewing these data points in unison allows an analyst to quickly see behavior patterns like the one between domain registration and Kayslice compile time. Kayslice is compiled just under 2 days (median) after the domain is registered; giving us a two day window to identify domains before they are weaponized. This graphic also provides evidence that Kayslice is not time-stomped due to the closeness of time between domain registration and the compilation time.
Figure 10: Domain Registration to Event (in Hours)
The final graph, Figure 11, plots domain registrations and certificate creation against a calendar.
Figure 11: Domain / Certificate Creation Date Time Overview
Some domains appear to be registered back to back within hours of each other.
Flipping the Tables: Operationalizing Analysis
Tactical Intelligence and Hunting
Now it’s time to use what was gathered against the actor to identify potential domains before they are compiled into a binary (just under 2 days median turnaround time).
Returning to DomainTools, construct a query to look for:
- TLD: info
- Name Server: reg[.]ru
- Hosting IP: Beget LLC
- Created on or after: 10-01-2019
- Choose this month based off of when the bulk of the activity was first seen.
Here is the saved Iris query for those who want to run it:
U2FsdGVkX19YR09dcAT4ZnziqiW9+PNHN5E3EOz+ZrvUvcnSPmf9mEV673xCC0JKVSdmlXvUhXClSI7/5dGcnRsTqipkYGl1q UnOlsQqefyxgZs/q7YPsA2FgafnufkdJA91oUaHQXSKnv4F1XiwhY/P5DJH3p7aCyKAldmhDW7rFDiG/MptCa44weYvRfoTZCzo vxDzrILJ+iJ5Zc1b3WBEu3hmAJqqXDzriNxOgnSq0C6qFcBL57bKJdXcgOAjIACoCRtl87lprAT12EC4D1XsHl69UujgmSX6MNt Q9X8DzPTmxiHKS6GGmByRk7I9teFC8F5Hh2nw2fIxzWNx16WDyr5M1w73PviG9LUcBr5JZyZ6BM/hSvS9QdsQ7ajqO5HHTt nxanxthIBfCVBJWFq857hKtNU8xM4vH8B7pc81l/qsmE0NXkG8Euvm7HBhwVqkVxcINOYVsCB7wIfbWKpdaZPGDJL5X2Jnk 2AOiP82omiGY8giaCW9eaI3pSWiJkPRu788drbpc2Ce6Z9l5npZCC6gaWZ8ZtT3cRaT04HEvXIscwluEybyuwv/h8Z8EHjUx89H SWwB5aeDA1MxUKKQBdfDRAim0fN1bNM274J8KjOe7MwUqCL87ciBFlVivs8AJmTFlDYccNq/mvwa/8tRwRbpg5/FIosCk4Pr OZc9l3UU5r5qeYWtl9EMfvUK
A similar query can also be constructed on VirusTotal like so:
entity:domain tld:info ns:”reg.ru” aso:”beget llc” creation_date:2019-10-01+
The above two queries combined return 37 unique domains, including some already known Kayslice and CobInt domains. There are still a few to weed through so let’s check to see which ones have a corresponding certificate created within a 13 hour window of the domain being registered. Table 6 is the final output.
|Domain||Cert Issuer Common Name||Domain Creation Date Time||Certificate Registration||Domain Certificate Time Delta|
|menso-blog[.]info||GlobalSign RSA DV SSL CA 2018||2020-02-05 13:49:45.716000+00:00||2020-02-05 14:35:00+00:00||0:45:14|
|vtbcapital[.]info||Let’s Encrypt Authority X3||2020-01-28 16:09:38.735000+00:00||2020-01-28 16:48:29+00:00||0:38:50|
|turkbazar[.]info||GlobalSign RSA DV SSL CA 2018||2020-01-25 16:18:04.180000+00:00||2020-01-26 01:36:51+00:00||9:18:47|
|advokatu[.]info||Let’s Encrypt Authority X3||2019-11-26 11:38:48.549000+00:00||2019-11-26 16:30:23+00:00||4:51:34|
|mnogoskidok[.]info||GlobalSign RSA DV SSL CA 2018||2019-11-29 13:43:19.377000+00:00||2019-11-29 14:45:54+00:00||1:02:35|
|zamkadom[.]info||GlobalSign RSA DV SSL CA 2018||2020-02-18 08:02:53.816000+00:00||2020-02-18 08:48:12+00:00||0:45:18|
|inet-hoster[.]info||GlobalSign RSA DV SSL CA 2018||2020-01-19 11:52:27.049000+00:00||2020-01-19 13:39:31+00:00||1:47:04|
|cloud-america[.]info||GlobalSign RSA DV SSL CA 2018||2019-12-17 20:33:19.974000+00:00||2019-12-17 21:23:52+00:00||0:50:32|
|segwitfeesavings[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-15 20:15:21.289000+00:00||2019-10-15 21:48:18+00:00||1:32:57|
|hunvenbinusa[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-05 21:33:09.016000+00:00||2019-10-05 21:49:04+00:00||0:15:55|
|5571875[.]info||GlobalSign RSA DV SSL CA 2018||2019-10-05 21:17:14.399000+00:00||2019-10-05 22:04:02+00:00||0:46:48|
|recreationbike[.]info||Let’s Encrypt Authority X3||2019-11-18 20:30:49.764000+00:00||2019-11-19 08:47:49+00:00||12:16:59|
Table 6: Cobalt Gang Hunting
The bottom four domains have already been associated with Cobalt Gang. A researcher on Twitter called out cloud-america[.]info as a suspected Cobalt Gang domain back in December however, there is no known malware at this time . The remaining domains have no associated malware in VirusTotal either.
Table 7: Could be Cobalt Gang Domains DNS Telemetry
Interestingly, turkbazar dns telemetry shows Viet Nam as the number one location matching the confirmed domain bestguesspass[.]info (taken 2020-03-03). Note the DNS telemetry info appears to change over time based upon the underlying window, so your results may differ. Overall, ThreatConnect recommends monitoring these domains along with repeating/updating this process as more information becomes available.
From a capabilities perspective, the time-stomped CobInt tool makes for a nice pivot point. This can be done with a YARA rule or a custom query in VirusTotal. ThreatConnect exposes this pivot point through the Browse screen. Figure 12 shows the results from pivoting on 2019-01-15T17:38:40Z in ThreatConnect.
Figure 12: Compilation Time-Stomp Pivot in ThreatConnect
Patterns in timing information help an analyst in multiple ways; not only at a tactical level but also at a strategic level. At the strategic level, time deltas can give insight into a threat actor’s operation that an analyst can exploit. In the case of Cobalt Gang, this insight allows us to determine the window of opportunity we have to find the infrastructure while it is still being set up; aka before it’s operationalized. Figure 10 shows us that there is about a 2 day median between the domain being registered and the malware being compiled. Discovering windows like this allows us to fine tune and prioritize hunting efforts to stay a step ahead of the adversary and ultimately neutralize domains before they become active.
Studying the behavior and tools of adversaries aids both defenders and threat hunters in spotting and stopping adversary attacks. Data is key! Extracting and understanding the data provided is a must to understand one’s adversaries. The same data can be viewed through multiple lenses. An analyst can plot out the domain and certificate creation timestamps to see when the activity occurred and then do a time delta on those same dates to gain insight into the threat actor’s behavior. This strategic intelligence helps the threat hunter to understand what window they have to find infrastructure before it’s used. All of this is an effort to exploit patterns of human behavior to stay one step ahead. At ThreatConnect, we consistently employ techniques like these to protect our users.
For more on the Cobalt Gang, listen to Episode 5 of It’s 5-O’SOC Somewhere, our podcast.