A data-mining advanced persistent threat hit a handful of high profile targets last year, including the White House’s computer network.
Dubbed CozyDuke, the APT’s toolset shares several similarities with fellow APTs MiniDuke, CosmicDuke and OnionDuke.
Kurt Baumgartner and Costin Raiu, researchers at Kaspersky Lab, on Tuesday detailed the threat, used by attackers in last year’s breach of the White House along with the Department of State.
Reports first surfaced in October that authorities at the White House were investigating an internal breach, allegedly state-sponsored, in which “some elements of [its] unclassified network” was affected. Officials couldn’t say much about the attack at the time but did claim they had “identified activity of concern on the unclassified Executive Office of the President network.”
In November, shortly after the White House breach, officials at the State Department shut down the email system after an intrusion in portions of a system in charge of handling unclassified email. State became the fourth government agency to announce a breach that fall, following the White House, United States Postal Service and National Oceanic and Atmospheric Administration.
Kaspersky Lab’s report, published on Securelist, suggests CozyDuke figured into both the White house and State Department attacks and was also used in attacks against government and commercial entities in Germany, South Korea and Uzbekistan.
According to the researchers the APT, also known as CozyBear, CozyCar, and “Office Monkeys,” picked up steam during the second half of 2014, a timeline that coincides with the attacks on the U.S. government’s networks.
Like many APTs of late, CozyDuke kicks off with a common spear phishing email. Messages contain links to a hacked version of a legitimate site that’s been rigged to host a .zip file. In this case the .zip contains a RAR SFX that installs the malware and displays an empty PDF.
In another instance, attackers send a flash video as an email attachment. Once opened the attachment plays a flash video, “Office Monkeys LOL Video.zip,” which as the title suggests, features chimpanzees wearing ties. After, another CozyDuke .exe is dropped and executed.
“These videos are quickly passed around offices with delight while systems are infected in the background silently,” Raiu and Baumgartner write.
Researchers deduced that the actors behind CozyDuke are either also behind OnionDuke, or working together as both APTs share a similar module: show.dll, along with identical export function names.
CozyDuke components are signed with bogus Intel and AMD certificates based on the malware samples Kaspersky Lab gathered.
Once deployed, the malware allows attackers to drop additional modules onto victim’s machines while subsequently identifying any security products installed on the system and evading them.
Originally uncovered in 2013, MiniDuke was a sophisticated APT campaign that took advantage of an exploit in Adobe Reader and created backdoors in networks belonging to government entities and institutions across Ukraine, Belgium, Portugal, and other nations.
Researchers discovered the OnionDuke cyberespionage campaign, separate from MiniDuke, distributed via malicious Tor exit nodes last November.
Indications are that both MiniDuke and OnionDuke, along with CosmicDuke, a mashup of sorts of MiniDuke and Cosmu, are managed by Russian-speaking authors and researchers are theorizing that CozyDuke fits that mold as well.
“CozyDuke is definitely connected to these two campaigns, as well as to the OnionDuke cyberespionage operation,” Baumgartner, Principal Researcher at Kaspersky Lab’s Global Research and Analysis Team said Tuesday. “Every one of these threat actors continues to track their targets, and we believe their espionage tools are all created and managed by Russian-speakers.”