The kaspersky-security.com domain name was registered on May 8 2018, and is resolved to: 91.230.121[.]86.
Later, the link led to the Complaint.scr file, CobInt.Downloader, which was the usual executable:
size 278016 bytes
Compiled on May 18, 2018.
This program, classified as CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager.
CobInt has C&C at foxsecit.com [185.86.79[.]156], and the domain was registered on May 18, 2018.
It is worth noting that the domain names kaspersky-security[.]com and foxsecit[.]com are registered by a person with the same name as with previously registered ibm-notice[.]com, which the Cobalt group used in March. And it in turn is associated with the domains spamhuas[.]com и hoteltoren[.]com.
And the domains hoteltoren[.]com, dns-verifon[.]com, spam-huas[.]com, used by the Cobalt group to attack hotels and aggregators, confirm the fact that Cobalt hackers can diversify and extend their activities.
Considering that the latest attacks by the Anunak/Carbanak group were also targeting a number of hotels in order to obtain card data, the probability of a connection between these two hacker groups is high. This fact is not the main reason to link these groups, but it additionally confirms our hypothesis of their joint operation in 2017.
In our new report on Cobalt activities, we revealed the relationship between these two criminal groups, and carefully considered the joint attack on the banks.