Cobalt Gang (also known as Cobalt Group or Cobalt Spider) is a financially motivated threat group that has largely targeted financial institutions. According to MITRE and other security organizations, the group has primarily targeted banks in Eastern Europe, Central Asia, and Southeast Asia. The activity discussed in this analysis relates to the CobInt/COOLPANTS malware, which has been attributed as a tool utilized by Cobalt Gang.



While performing research, I came across an interesting document titled “PFD-19-010.doc” being hosted on the URL This document purported to be from the Visa, and contained material meant to invoke a concern-driven action by the recipient, such as “Payment Fraud Disruption”. The document prompted the recipient to enable Editing/Content to view the “protected” document.


Shown above: Visa themed lure used by Cobalt Gang


By enabling Editing/Content, the password-protected macro is able to run - this will drop the file “error_log.vbe” in the user’s local temp directory and execute the script via WScript.exe. While I wasn’t able to decode the script itself, upon execution it would manipulate Windows Certificates by writing a blob to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\. Using the CertUtil utility I was able to decode this blob to readable text, which presented the below information.


================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Serial Number: 44afb080d6a327ba893039862ef8406b
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
 NotBefore: 9/30/2000 5:12 PM
 NotAfter: 9/30/2021 10:01 AM
Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): da c9 02 4f 54 d8 f6 df 94 93 5f b1 73 26 38 ca 6a d7 7c 13
----------------  End Nesting Level 1  ----------------
No key provider information
Cannot find the certificate and private key for decryption.


I am unsure of the significance of this certificate at this time, as it is not utilized by any infrastructure I’ve identified up to this point. Following this, the script would download a payload from the URL “”, store it in the user’s local temp directory, rename it as “Colors.exe”, and execute it. Interestingly this binary was compiled on October 13th 2019 at 17:14:27 and purports to be signed by Symantec Corporation, however it fails verification.


Shown above: Certificate information of payload purporting to be signed by Symantec


Following execution of “Colors.exe”, Command & Control would then be initiated to over TCP/443. After initial C2 is established, the data returned is stored in a text file titled “zvdpoaqrvytayoaygk[1].txt” in the following location: C:\Users[USERNAME]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\zvdpoaqrvytayoaygk[1].txt. This file, while at first appearing to be a benign HTML file based on various HTML tags, in fact contains commands sent by the Command & Control server.


Shown above: Contents of zvdpoaqrvytayoaygk[1].txt


At this point in my investigation, I was confident that the payload I was analyzing was CobInt/COOLPANTS (or similar variant) malware used by Cobalt Gang. According to an article released by ProofPoint in September 2018, the text file contains encrypted command data - such as commands to load/execute a module, stop polling the C2, execute a function set by a module, or update the C2 polling wait time. To decrypt this data, ProofPoint states that you would need to:

  1. Remove HTML tags
  2. Convert all text to lowercase
  3. Remove all characters that are not “a-z”
  4. Convert the characters into binary data via an unknown decoding algorithm
  5. XOR decrypt the binary data with the embedded 64-byte XOR key used in C&C host decryption
  6. Perform a second round of XOR decryption using the following key:
    • XOR key length is indicated by the last byte of data
    • XOR key is the last “X” bytes of data (excluding length byte), where “X” is the length of the key


They also provided a Python script to automate this process, which can be found here on GitHub.


I was unable to identify any subsequent commands or modules being loaded throughout my analysis of the payload. With that in mind, I decided to try and identify additional infrastructure being utilized by Cobalt Gang for this campaign, which is where I started to go down a rabbit hole…


Shown above: VirusTotal Graph of investigation


Performing a search on PassiveTotal for the first domain I observed ( revealed 34 additional subdomains. Initial research into these subdomains made them appear as if they were business pages in various fields such as law, media, outdoors, and psychology - all of which were located in Trujillo Peru. An additional point of interest is that “” is very similar to the legitimate “” domain, which belongs to the German based company “INIT Group”.


Shown below: Subdomains for INTI.CO.UK


Reverse DNS searches into the IP address hosting ( revealed that there were actually “.com” versions of these domains as well - such as or Reviewing these domains returned some interesting findings - such as some of them having the same favicon, lorem ipsum text, fake reviews, the same addresses, and more. These domains also contained text indicating they were developed by a Peruvian media company “Screen Media Studio”. Research into this media company returns a YouTube channel, a website (, Facebook page, and more, and appeared to be legitimate as a result.


At this point in my investigation, I was starting to think that these domains were unrelated to the infrastructure I was researching. I then performed a final search on PassiveTotal to see what SSL certificates used and found four “LetsEncrypt” certificates that were recently used by all the aforementioned domains INCLUDING At this point in time, I have not seen any subdomain besides “” serve malicious artifacts for this campaign, and therefore cannot confirm that the other listed domains are related to or being used by this campaign, but I find the aforementioned similarities highly anomalous, including that all of the subdomains and seemingly “legitimate” domains share the same LetsEncrypt certificates as a domain serving CobInt/COOLPANTS malware.


Serial Number Issued Expires
220b91fa140101dde6fe1d9102fb19c922458a42 2019-09-27 2019-12-26
b6e1290d270c0bd0573f73d8c022efc176fa9d4a 2019-09-27 2019-12-26
47062ed4b342879f5e6a53cd3826be942a8f0f1d 2019-09-01 2019-11-30
83cd57a38ca395623a4d7481e0305f8f6b645aee 2019-09-01 2019-11-30

Shown above: LetsEncrypt Certificates used by recently


I then performed a search on PassiveTotal for the initial C2 domain ( and found that it shared an IP address with two other domains - and While I haven’t found evidence indicating is related to this campaign, records reveal that utilizes a LetsEncrypt certificate that contains a SANs (Subject Alternative Name) of “” - therefore, I believe to be an additional C2 domain utilized in this campaign.


At this time, I was unable to obtain evidence of target attribution - however they have primarily targeted financial institutions in Eastern Europe, Central Asia, and Southeast Asia per MITRE’s research. It is also interesting to see how investigating small “threads” of evidence can lead to going down many rabbit holes - possibly unraveling the “ball of yarn” that is an attacker’s infrastructure.



Indicator Type Description URL URL serving PFD-19-010.doc
8e8e7b25a0df0dfed26d726cb1c01567 MD5 PFD-19-010.doc - Visa themed .Doc lure containing embedded macro leading to download of CobInt/COOLPANTS malware URL URL serving CobInt/COOLPANTS malware
6ef835a8ac1cc70d4b478c7c45efa5db MD5 Colors.exe - CobInt/COOLPANTS malware hash Domain CobInt/COOLPANTS Command & Control server Domain CobInt/COOLPANTS Command & Control server


References/Further Reading