Description of Campaign
Cobalt Group is a financially motivated cybercrime gang active since at least 2016. The group carries out attacks against banks to access the banks' internal networks. Cobalt Group then takes over sensitive components, such as ATM-controlling servers or card-processing systems. Although Europol arrested the Cobalt Groups leader in 2018, the group remains active.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Campaign IOC:

IOC	Value
MD5	a26722fc7e5882b5a273239cddfe755f
MD5	7f0f3689b728d12a00ca258c688bf034
URL	hxxps://kassanova.kz/files/docs/T47188445.doc
URL	hxxp://www.myovs.de/openx/www/images/file.exe
URL	hxxp://185.61.149.186/rpc

 
Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9368
V3 DAT (Endpoint Security)	3827

 
 
Detection Summary:

IOC	Scanner	Detection
7f0f3689b728d12a00ca258c688bf034	AVEngine V2	W97M/Cobalt.kz
	AVEngine V3	W97M/Cobalt.kz
	JTI (ATP Rules)	309
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
a26722fc7e5882b5a273239cddfe755f	AVEngine V2	Trojan-Cobalt!
	AVEngine V3	Trojan-Cobalt!
	JTI (ATP Rules)	309
	RP Static	-
	RP Dynamic

 
 
Minimum set of Manual Rules to improve protection to block this campaign:
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices.
For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Endpoint Security - Exploit Prevention:
            Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability.
 
Endpoint Security - Advanced Threat Protection
            Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files.
 
Endpoint Security – Access Protection:  Virusscan Enterprise - Access Protection Rules:  
 
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices.
For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Virusscan Enterprise – Access Protection Rules:
Endpoint Security – Access Protection: