The cybercrime group known as Hidden Cobra continues to target cryptocurrency and financial organizations and has returned with a new campaign using the Bankshot malware implant.
The McAfee Advanced Threat Research team found the campaign surfacing in the Turkish financial system, targeting a major government-controlled financial organization. It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were subsequent victims of the attack.
The organizations were targeted via spear phishing emails containing malicious Microsoft Word documents. The documents contain an embedded Adobe Flash exploit (taking advantage of CVE-2018-4878) that allows an attacker to execute arbitrary code – in this case Bankshot, which is designed to persist on a victim’s network for further exploitation. The approach suggests the attackers may be in an early data-gathering phase, with a plan for a future heist against the targets.
That said, Bankbot is also a remote access tool that gives an attacker full capability on a victim’s system and that has the functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions.
Hidden Cobra, which has ties to North Korea, has used Bankshot in the past to target finance and other industries. This variant has connections to a major Korean bank attack and can search for hosts related to the SWIFT network. Further, it was found in 2017 in documents supposedly from Latin American banks.
“Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT,” researchers said in a blog. “These connections, combined with the implant’s nearly identical appearance to known variants, are a strong indication that we have uncovered a Hidden Cobra attack. Further, previous implants from 2017 contained bogus documents with financially themed content.”