Threat actors such as the Cobalt Group and other APT gangs are using lightweight modular downloaders to scout and “fingerprint” target machines before launching their malware.
Proofpoint researchers said the emergence of the AdvisorsBot and Marap malware, zero-day attacks carried out by the PowerPool group exploiting Microsoft ALPC, and Cobalt's own custom CobInt code, indicate a new trend of stealth attacks designed to stay hidden until its time to strike, according to a Sept 11 blog post.
“Established actors like TA505 and Cobalt Group-- are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest,” researchers said in the post. “As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the “follow the money” theme we have associated with a range of financially motivated campaigns over the years.”
The malware also makes use of junk code including extra instructions, conditional statements, loops and other misdirection’s designed to prevent and make it more difficult for researchers to examine the malware.
Researchers have noted this type of malware also tends to have a small footprint, stealthy infections and a focus on reconnaissance to help defeat institutions as they improve their defenses, as it this allows threat actors to only install additional malware on systems they are interested in and to differentiate final payloads based on user profiles.
In one instance, researchers observed email messages being sent with Russian subject lines that translated to Suspicion of fraud” purporting to be from “Interkassa.” The messages contained two URLs one of which linked to a macro document that ultimately installed the More_eggs downloader the othe of which linked directly to the CobInt stage 1 executable.
Researchers noted similar campaigns in different languages and purporting to be from other senders such as Alfa Bank and Single Euro Payments Area (SEPA).
CobInt is a downloader malware written in C that can be broken into the three stages of an initial downloader that downloads the main component, the main for itself, and various additional modules.
The main component downloads and executes various modules from its Command and Control, each of which have unique functionalities based on the target.
These attacks will help threat actors ultimately conserve there resources while attempting to hinder reverse engineering.