When the security industry characterizes the e-crime threat landscape, there is a temptation to focus on the everyday scams and high-volume aspect of the criminal threat landscape. These criminals are not particular about targets if there are financial rewards at the end. Obvious examples of these types of scams are the widely distributed malware aimed at stealing bank account credentials and the ransomware disseminated through large-scale spam phishing campaigns.
These criminals can earn a decent income over time netting smaller “financial fish” through opportunistic scams. However, some cybercriminals are setting their aims higher and focusing on much larger fish. Secureworks® Counter Threat Unit™ (CTU) researchers have observed a growing threat from sophisticated threat actors who pursue high-value targets such as banks and financial services companies and have the capability to exploit and monetize access to payment and other financial systems. CTU™ researchers call one of these threat groups GOLD KINGSWOOD.
GOLD KINGSWOOD: An advanced persistent cybercrime group
GOLD KINGSWOOD (also known as the Cobalt Gang) is a capable, sophisticated, and financially motivated criminal threat group that has successfully compromised financial organizations since at least 2016. The group uses targeted network intrusion tactics to locate, access, and abuse systems that can be monetized. As of March 2018, the threat actors had reportedly stolen approximately $1.2 billion USD through their global operations. Unlike most criminally motivated e-crime actors observed by CTU researchers, GOLD KINGSWOOD’s tactics, techniques, and procedures (TTPs) are similar to attributes of traditional government-sponsored or espionage-driven threat actors. For example, in operations against the First Commercial Bank (FCB) of Taiwan, GOLD KINGSWOOD used custom malware that leveraged CSCWCNG.dll, which is specific to the ATM hardware used at FCB. After receiving confirmation of the ATM locations where money mules were waiting, the threat actors executed commands to dispense money from the machines. This incident demonstrated GOLD KINGSWOOD’s vast technical and human resources.
GOLD KINGSWOOD serves up a SpicyOmelette
Figure 1. SpicyOmelette infection chain. (Source: Secureworks)
Once installed, SpicyOmelette provides an ideal foothold onto a targeted system for GOLD KINGSWOOD. It enables the threat actors to perform various actions:
- profile the infected system for information (e.g., running software, system name, IP address)
- install additional malware onto the system
- check for the presence of 29 different antivirus tools
The access provided by SpicyOmelette and other post-compromise tools regularly used by GOLD KINGSWOOD helps the threat actors escalate privileges on a system by stealing account credentials, survey and evaluate the compromised environment, identify desirable systems (e.g., payment systems, payment gateways, ATM systems), and deploy malware specifically designed to target those systems.
The ‘advanced’ nature of GOLD KINGSWOOD intrusions stems from the care and focus that the threat actors exhibit, specifically finding and accessing systems of interest. Arrests of suspected GOLD KINGSWOOD operators in March 2018 did not deter the threat group’s campaigns, likely due to its vast network of resources. CTU researchers expect GOLD KINGSWOOD’s operations and toolset to continue to evolve, and financial organizations of all sizes and geographies could be exposed to threats from this group. The threat group’s detailed understanding of financial systems and history of successful campaigns make it a formidable threat.