Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant
Contents
This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales.
On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.
In this new, aggressive campaign we see a return of the Bankshot implant, which last appeared in 2017. Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations.
Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft …
On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.
In this new, aggressive campaign we see a return of the Bankshot implant, which last appeared in 2017. Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations.
Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft …
IoC
166e8c643a4db0df6ffd6e3ab536b3de9edc9fb7
343ebca579bb888eb8ccb811f9b52280c72e484c
650b7d25f4ed87490f8467eb48e0443fb244a8c4
65e7d2338735ec04fd9692d020298e5a7953fd8d
843c17b06a3aee22447f021307909890b68828b9
a2e966edee45b30bb6bb5c978e55833eec169098
343ebca579bb888eb8ccb811f9b52280c72e484c
650b7d25f4ed87490f8467eb48e0443fb244a8c4
65e7d2338735ec04fd9692d020298e5a7953fd8d
843c17b06a3aee22447f021307909890b68828b9
a2e966edee45b30bb6bb5c978e55833eec169098