Kaspersky Lab’s Global Research and Analysis Team has published a report describing a new advanced cyberespionage actor taking aim precisely at US targets, including, possibly, within both the White House and State Department.
The operation presents other alarming though fascinating aspects, such as involving crypto and anti-detection capabilities (the code hunts for several security products to evade: Kaspersky Lab, Sophos, DrWeb, Avira, Crystal, Comodo Dragon), strong malicious program functionality, and structural similarities mating this toolset with the MiniDuke, CosmicDuke and OnionDuke cyberespionage campaigns – operations believed to have Russian-speaking authors behind them due to certain indicators.
“The anti-detection capabilities of the CozyDuke APT are likely to become more widespread in APTs.” said Mike Spykerman, Vice President of Product Management at OPSWAT. “The best way to protect against malware that includes anti-AV protection is to use a multi anti-malware scanner that utilizes several different anti-malware engines. Not only does this significantly increase the malware detection rate, it also thwarts threats that try to target vulnerabilities in specific anti-virus engines. When using multiple engines, only one engine needs to detect the threat to be protected. The more engines you use, the less likely the APT has anti-detection capabilities for all.”
The CozyDuke actor often spearphishes targets with emails containing a link to a hacked website – sometimes to high profile, legitimate ones such as ‘diplomacy.pl’ – which hosts a ZIP archive with malware inside. In other highly successful runs, this actor sends out phony flash videos with malicious executables directly as email attachments.