Cobalt Group Pushes Revamped ThreadKit Malware
(Dec 11, 2018)
The Advanced Persistent Threat (APT) group, "Cobalt Group," has been observed by researchers from Fidelis to have begun using a new version of the "ThreadKit" exploit kit. The group is distributing ThreadKit via a phishing campaign of theirs delivers a RTF Microsoft Office attachment that contains the exploit kit with the "CobInt" downloader delivered as the final payload. ThreadKit is observed to have slightly advanced its obfuscation techniques where it now places an "M" from the executable file into its own object, and has a XOR routine that is used to decode the initial CobInt payload. Despite the recent arrests of the suspected leaders of Cobalt Group, they are still highly active.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.