Cyberattacks with a specific organisation or person in mind are called "targeted" because they aim to access their private data, spy on them, or undermine their operations. Targeted attacks are typically carried out by Advanced Persistent Threats (APTs), which are teams of hackers with the ability to remain undetected on their victims' computers for extended periods of time and employ a variety of techniques.
CozyDuke, also known as CozyBear, CozyCar, or "Office Monkeys," is one such APT that started operating in the second half of 2014 and attacked a number of targets. The group searches for private information held in the networks of governmental and private businesses in various nations. The US State Department and the White House were two of CozyDuke's victims in 2014.
In this article, we'll examine CozyDuke's characteristics, methods of system compromise, attack types, real-world applications of its behaviour, methods for detecting and preventing it, and potential effects on businesses.
CozyDuke is an APT group that conducts targeted attacks using a variety of malware. Although her background and ancestry are unknown, it is assumed that she is related to other APT factions like MiniDuke and CosmicDuke. The following are CozyDuke's primary attributes:
It employs SFX files (self-extracting archives), which contain a video file with a humorous clip and a malicious executable file. Victims may receive these files via email or from websites that offer downloads. The video file's objective is to distract the user from running a malicious file.
It employs a modular design that enables it to load various components for various tasks. It might make use of a module that steals credentials, one that encrypts traffic, or one that bypasses detection, for instance.
It employs customised commands based on the victim's unique network configuration. This enables it to adjust to various circumstances and avoid using standard signatures.
It transfers and stores data using network resources like Dropbox, Google Drive, Twitter*, and others. Bypassing some security measures and passing for legitimate traffic is made possible by this.
The main tactic used by CozyDuke is to hack into the victim's computer, install his software, learn about the network environment, download additional modules to carry out particular tasks, exfiltrate data, and leave no trace. It makes use of various techniques, including:
Phishing is the practise of sending emails with attachments, links, or redirects to websites that have malicious code. These emails might pretend to be from respectable businesses or people, make use of hot topics, or con the recipient into acting.
A waterhole is a website that has been infected with malicious code and directs users to other malicious websites when they visit it frequently by targeted businesses or individuals. You can attack multiple victims simultaneously using this technique.
Lateral movement is the act of spreading malware to other systems on the same network using credentials or vulnerabilities obtained from one infected system. By using this technique, you can attack more worthwhile targets and gather more data.
How the system is introduced to CozyDuke?
CozyDuke must complete a number of steps before it can enter a victim's system:
CozyDuke infects a computer by emailing or posting an SFX file online for the victim to download. The file's name, such as "New video of the president," "Salary report," or "Funny video," draws the user's attention. A humorous video file that plays when the SFX file is opened is also included in the file. A malicious executable file that copies itself to the %TEMP% folder and creates a registry key for autorun each time the system boots up is also launched at the same time as the legitimate one.
Installation - A dropper in the malicious file communicates with a CozyDuke command and control server and receives the main module (loader) from that server. Additionally, the loader sends server-side data about the infected system, including the computer's name, username, operating system version, and other details. A DLL file that is executed by rundll32.exe and loaded into memory serves as the main module. Additionally, it facilitates communication with the command and control server and obtains from it extra modules for various tasks.
CozyDuke can spread malware to other systems on the same network using a number of different techniques. It can access network resources like shared folders, mail servers, or remote workstations using the credentials it stole from the infected system. It can also use software flaws like Sandworm attack vector CVE-2014-4114 to run arbitrary code on other systems.
Types of attacks CozyDuke commits
Depending on its objectives and capabilities, CozyDuke can launch a variety of attacks once it has gained access to a victim's system. These are a few examples of these attack types:
- Data theft: CozyDuke has the ability to steal a variety of data from a system that has been infected, including documents, images, videos, audio, databases, archives, credentials, and encryption keys. Additionally, he has the ability to search the network for files on other systems that may interest him. It employs a number of techniques to exfiltrate data, including emailing, uploading to cloud storage, and transmitting through secure channels.
- CozyDuke's spying capabilities allow it to gather a variety of data about an infected system and its user, including the system's name, username, operating system version, list of installed apps, list of active processes, list of visited websites, and other information. It can also eavesdrop on microphone audio, screenshots, and keyboard input. This data is used to assess the victim's network environment and make further decisions.
- System Disruption - CozyDuke is capable of carrying out a number of operations that can disturb an infected system or network. It can, for instance, delete or alter files, end processes, restrict access to resources, or execute malicious code. To hide its tracks, it might also employ detection bypass or self-removal techniques.
Examples of Real-World CozyDuke Targeted Attacks
Several actual instances of targeted attacks against different organisations have involved CozyDuke. Examples of these include:
- Attack on the White House and the US State Department - In October 2014, CozyDuke used SFX files with video files that mimicked YouTube videos to attack the networks of the White House and the US State Department. He was given access to private documents like unclassified emails, schedules, and other records. In order to spread malware to other networked systems, it also used lateral movement.
- Attack on the US Democratic National Committee - In June 2016, CozyDuke used SFX files with video files that mimicked Donald Trump videos to attack the network of the US Democratic National Committee. He was given access to confidential documents, emails, reports from analyses, and more. In order to spread malware to other networked systems, it also used lateral movement.
- Attack on German government organisations - In March 2018, CozyDuke used SFX files with video files that mimicked kitten videos to attack the networks of several German government organisations. He was given access to private records, including emails, papers, conversations, and more. In order to spread malware to other networked systems, it also used lateral movement.
CozyDuke attack detection and prevention techniques
Applying various security measures at various levels is necessary to identify and stop CozyDuke attacks. Some of these actions include:
- Users should be educated about the risks of targeted cyberattacks and how to protect themselves. When opening emails, attachments, or links from illegitimate or dubious senders, they should exercise caution. Additionally, they must check the legitimacy of the websites they visit and refrain from downloading files from dubious sources.
- Software Updates: All systems' software needs to be updated to the most recent patches and versions. This will assist in preventing the exploitation of vulnerabilities that CozyDuke might use to compromise systems or spread malware.
- Utilizing an antivirus programme - All systems must have an antivirus programme installed and running. It must be capable of identifying and preventing harmful files, processes, and CozyDuke network activity. Additionally, it must have the ability to regularly scan systems for malware.
- Utilizing monitoring and analysis tools - Network traffic and system behaviour should be tracked and studied using monitoring and analysis tools. They ought to be capable of spotting and alerting on suspicious or anomalous events, including unusual requests to command and control servers, downloads of unknown files or modules, uninstallation, and the ability to disconnect systems from the network, eliminate malware, restore files and settings, among other things.
- Utilizing isolation and recovery tools—Systems that have been infected or attacked by CozyDuke should be isolated and recovered using isolation and recovery tools. They ought to be able to shut down computers, get rid of malware, fix files and settings, and more.
Attacks by CozyDuke and their effects
Attacks by CozyDuke can have detrimental effects on the targeted organisations. Some of these effects include:
- Loss of sensitive data - CozyDuke has the ability to steal a variety of sensitive data from infected systems, including documents, login credentials, encryption keys, and more. CozyDuke might use this information for future attacks, snooping, or selling to outside parties. This might result in the disclosure of information, invasions of privacy, or security issues.
- Disruption of infected systems or networks - CozyDuke is capable of carrying out a number of operations that can do this. It can, for instance, delete or alter files, end processes, restrict access to resources, or execute malicious code. Data corruption, errors, downtime, and crashes may result from this.
- Undermining reputation and trust - CozyDuke has the ability to attack institutions with a strong reputation and level of public trust, such as governmental bodies or political parties. This may damage these companies' credibility and reputation with their associates, customers, constituents, or the general public. Politics or international relations may also be impacted.
CozyDuke is an APT group that conducts targeted cyber attacks on various organisations in order to gain access to confidential information, spy on them, or disrupt their operations. It employs a variety of techniques to infiltrate victims' systems, install software, carry out various tasks, and exfiltrate data. It also employs a variety of techniques to avoid detection or to remove itself.
CozyDuke attacks can have serious consequences for organisations that fall victim to them, including the loss of confidential information, system disruption, and trust and reputation damage. To detect and prevent CozyDuke attacks, various security measures must be implemented at various levels, including user education, software updates, the use of an antivirus solution, monitoring and analysis tools, and isolation and recovery tools.
CozyDuke is one of many advanced persistent threat (APT) groups that pose a threat to organisations in today's cyberspace. In his actions, he demonstrates a high level of professionalism, adaptability, and stealth. He is also very interested in political and geopolitical processes and relationships. He exemplifies how targeted cyberattacks can be used to achieve various goals and how they can have an impact on society.