An advanced persistent threat (APT) campaign, codenamed CozyDuke, targeting US government departments with malicious ‘funny monkey’ videos has been uncovered by researchers at Kaspersky Lab.
Kaspersky Great team members Kurt Baumgartner and Costin Raiu reported uncovering the CozyDuke campaign in a threat advisory, warning that the attacks have already hit the White House and US Department of State.
Vicente Diaz, principal security researcher at Kaspersky Lab, told V3 the campaign uses a common spear phishing technique to infect victims.
“The actor often spear phishes targets. In highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is Office Monkeys LOL Video.zip,” he said.
“These videos are quickly passed around offices while systems are infected in the background silently. Many of this APT’s components are signed with phony Intel and AMD digital certificates.”
Once inside, the attackers reportedly move laterally through the network infecting it with data-stealing malware.
“[The malware] is basically a backdoor and dropper. [A backdoor is a] malicious program that gives attackers access to the infected machines. It allows them to ‘open the door’ without disturbing the owner of the house,” Diaz explained.
“[A dropper] is a program which allows attackers to drop any other additional modules (additional functions) to the infected machine, for example give a command to infiltrate all PDF files or record everything happening on the screen.
“It sends info of the target to the command and control server and retrieves configuration files and additional modules implementing any extra functionality needed by the attackers.”
The researchers said that the attacks are particularly dangerous as they can dodge several security providers’ products, including those from Crystal, Kaspersky, Sophos, Dr Web, Avira and Comodo.
The campaign also contains similar features to the past MiniDuke, CosmicDuke and OnionDuke APTs.
“One of the second-stage modules of CozyDuke/Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke,” read the advisory.
“Both have exactly the same export tables and appear to be called internally ‘UserCache.dll’. This seems to indicate that the authors of OnionDuke and CozyDuke/Cozy Bear are the same, or working together.
“Another interesting comparison of two other files matches a recent second-stage tool from the CozyDuke attacks with a second-stage component from other MiniDuke/OnionDuke attacks.
“The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time.”
MiniDuke is a notorious malware originally uncovered in 2013 having infiltrated networks in over 20 countries.
CosmicDuke is a follow-up campaign uncovered in early 2014 that combines MiniDuke and an older Cosmu attack.
OnionDuke is a dangerous campaign uncovered later in 2014 that used the Tor network to target multiple central European government agencies.
The Kaspersky researchers added that the attacks also share some features of the APT 28 attack campaign.
“Their custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography and trojan functionality changing per operation,” read the paper.
“This rapid development and deployment reminds us of the APT 28/Sofacy toolset, especially the coreshell and chopstick components.”
APT 28 is an ongoing attack campaign believed to be state-sponsored. FireEye researchers recently reported uncovering evidence that the group was mounting a fresh campaign using Adobe and Windows zero-day vulnerabilities to infect systems.