14 DAY TRIAL // Last year’s cyber-attacks against the US State Department and the White House are believed to have been carried out using an advanced persistent threat (APT) campaign dubbed CozyDuke, which shows similarities with MiniDuke, an APT family associated with hackers from Russia.
Also known as CozyBear and CozyCar, the APT is used against high-profile targets in spear phishing attacks that lure the victim to compromised websites hosting malicious payloads, security researchers at Kaspersky say.
In some cases, the hacked website is a legitimate one, which only increases the victim’s trust in the safety of the received file.
Fake certificates from Intel, AMD, used to sign malicious code
One example of a successful attack provided by the researchers is hiding CozyDuke in funny Flash videos (e.g. “Office Monkeys LOL Video.zip” - video available here) delivered in email attachments. When the clip is launched, the video starts playing, but it also drops and executes malicious code in the background.
“These videos are quickly passed around offices with delight while systems are infected in the background silently,” Kaspersky says in a blog post on Tuesday.
To evade detection, CozyDuke operators employ bogus digital certificates from Intel and AMD to sign the malicious components.
The infected systems are also checked for the presence of security products from vendors such as Sophos, Kaspersky, Dr. Web, Avira, cloud-based Crystal Security and Comodo, as part of its anti-AV routines.
Another module, “atiumdag.dll,” relies on a different list with antivirus solutions to avoid, which includes some of the previously mentioned products, as well as solutions from AVG and K7.
MiniDuke, OnionDuke, CozyDuke, all appear to be connected
According to Kaspersky, there is strong evidence suggesting that CozyDuke has been created on the same platform as OnionDuke, which traces to MiniDuke, used in targeted attacks against NATO and European government agencies.
The researchers compared one of CozyDuke’s second stage attack modules (“Cache.dll” backdoor) with a sample of OnionDuke and noticed that they shared both the export tables and the internal file name (“UserCache.dll”).
Additional evidence supporting this theory is that a MiniDuke module also used in second stage attacks in the past was named had been given the internal name “UserCache.dll,” too, and had the same size as “Cache.dll” backdoor.
A conclusion that can be drawn from this is that the operators of the two APTs are either the same or they work together.
Kaspersky says that CozyDuke’s backdoor components appear to be adapted for each operation, changing anti-detection, cryptography and Trojan functionality.
