"Despite the arrest of the operator of the criminal group, Cobalt’s most recent targeted attack activity was monitored by Group-IB on May 23 and 28, 2018. These attacks mainly focused on banks in Russia and CIS countries, however, based on the content of the spear phishing email, it is likely that western financial organizations were also targeted," the Group-IB said in a press release.
Group-IB experts indicated that the hackers' attacks were becoming increasingly inventive and sophisticated.
"For example, in the May 23 attack, the text in English is stylized as a 'legal complaint', the fake website kaspersky-corporate.com also has a high level of quality, which is not typical of Cobalt," the group indicated.
Thus, the email allegedly set on behalf of Kaspersky Lab informed a user in English that the activity on their computer violated the law and offered them to download a complaint letter attached to the email, which contained a computer virus.
In the second attack, which took place on May 28, Cobalt sent emails with an attached virus-infected document describing financial risks to financial institutions on behalf of the European Central Bank.
The Cobalt hacker group became known for its attacks on a number of banks in the CIS counties and Eastern Europe in 2016. The group always uses phishing emails in its fraud schemes, which enable it to gain access to banks' internal networks, in particular, to ATMs management system. In February, Deputy Governor of the Russian Central Bank Dmitry Skobelkin announced that the group has carried out 11 successful attacks on the Russian banks in 2017.
The hacker group's leader was arrested in March in Spain, but the attacks nevertheless continued.