Upon further review, last year’s attacks against the U.S. State Department and the White House seem to have come from an advanced persistent threat (APT) campaign dubbed CozyDuke, researchers said.
Also known as CozyBear and CozyCar, the APT goes for high-profile targets in spear phishing attacks that lure the victim to compromised websites hosting malicious payloads, said researchers at Kaspersky Lab. CozyDuke has similarities with MiniDuke, an APT family associated with attackers from Russia, they said.
In some cases, the hacked website is a legitimate one, which only increases the victim’s trust in the safety of the received file.
One example of a successful attack provided by the researchers is hiding CozyDuke in funny Flash videos delivered in email attachments. When the clip launches, the video starts playing, but it also drops and executes malicious code in the background.
“These videos are quickly passed around offices with delight while systems are infected in the background silently,” researchers Costin Raiu and Kurt Baumgartner said in a blog post.
To evade detection, CozyDuke operators employ bogus digital certificates from Intel and AMD to sign the malicious components.
The infected systems also end up scanned for the presence of security products from vendors such as Sophos, Kaspersky, Dr. Web, Avira, cloud-based Crystal Security and Comodo, as part of its anti-AV routines.
Another module, “atiumdag.dll,” relies on a different list with antivirus solutions to avoid, which includes some of the previously mentioned products, as well as solutions from AVG and K7.
There is evidence suggesting CozyDuke ended up built on the same platform as OnionDuke, which goes back to MiniDuke, used in targeted attacks against NATO and European government agencies, Kaspersky researchers said.
The researchers compared one of CozyDuke’s second stage attack modules (“Cache.dll” backdoor) with a sample of OnionDuke and noticed they shared the export tables and the internal file name (“UserCache.dll”).
Additional evidence supporting this theory is a MiniDuke module also used in second stage attacks in the past had the internal name “UserCache.dll,” too, and had the same size as “Cache.dll” backdoor.
A conclusion could be the operators of the two APTs are either the same or they work together.
Kaspersky said CozyDuke’s backdoor components appear custom built for each operation, changing anti-detection, cryptography and Trojan functionality.