These stealthy downloaders initially infect systems and then only install additional malware on systems of interest.
Well-known financial crime gang Cobalt Group and other threat actors have recently shifted tactics to incorporate lightweight modular downloaders that “vet” target machines for their attractiveness before proceeding with a full-fledged attack.
The emergence of the AdvisorsBot and Marap malwares, as well a zero-day attack by the PowerPool actors and Cobalt Group’s use of its custom CobInt code, indicate a new trend for financial adversaries.
“Threat actors — from newer players…to established actors like TA505 and Cobalt Group – are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest,” Proofpoint researchers explained
in a blog on Tuesday, adding that the idea is to increase effectiveness and boost efficiency and ROI for the bad actors.
