F-Secure Labs’ latest white paper highlights CozyDuke as part of an ongoing series of Advanced Persistent Threats targeting governments and other large organizations.

HELSINKI, FINLAND – April 30, 2015 — /BackupReview.info/ — A new malware analysis from F-Secure Labs points to CozyDuke — http://goo.gl/4mY0JA — as a continuing menace facing governments and other large organizations. CozyDuke is an Advanced Persistent Threat (APT) toolkit that uses combinations of tactics and malware to compromise and steal information from its targets, and the new analysis links it to other APTs responsible for a number of high profile attacks.

According to the analysis, CozyDuke shares command and control resources with the prominent MiniDuke and OnionDuke APTs. F-Secure Labs has attributed several high-profile attacks to these APT platforms, including malicious attacks against people using a Russian Tor exit node, and targeted attacks against NATO and a number of European government agencies.* CozyDuke utilizes much of the same infrastructure as these other platforms and employs components with encryption algorithms similar to those used by OnionDuke, linking the same technology to different campaigns.

“All of these threats are related to one another and share resources, but they’re built a little bit differently to make them more effective against particular targets”, says F-Secure Security Advisor Sean Sullivan. “The interesting thing about CozyDuke is that it’s being used against a more diverse range of targets. Many of its targets are still Western governments and institutions, but we’re also seeing it being used against targets based in Asia, which is a notable observation to make”.

CozyDuke and its associates are believed to originate from Russia**. The attackers establish a beachhead in an organization by tricking employees into doing something such as opening an attachment in an e-mail that distracts users with a decoy file (like a PDF or a video), allowing CozyDuke to infect systems without being noticed. Attackers can then perform a variety of tasks by using different payloads compatible with CozyDuke, and this can let them gather passwords and other sensitive information, remotely execute commands, or intercept confidential communications.

Sullivan acknowledges there’s not yet sufficient evidence to definitively conclude what the attackers’ true identities and motives are, but he is quite confident that they are the same people responsible for attacks attributed to OnionDuke and MiniDuke. “CozyDuke has actually been around since 2011, but it’s something that’s been developing so it keeps on changing. This tells us that a group or groups have been investing time and money to nurture these tools, so figuring out what they’re after now is really what we need to be focusing on”.

The white paper also notes that CozyDuke checks for cyber security software before establishing its infection, and certain types of software can cause it to abandon the attack.

The white paper, penned by F-Secure Threat Intelligence Analyst Artturi Lehtiö, is free and available for download from F-Secure’s website: http://goo.gl/zwSYgy

*Source: https://www.f-secure.com/weblog/archives/00002764.html
**Source: https://www.f-secure.com/weblog/archives/00002780.html

More information:
CozyDuke Malware Analysis – http://goo.gl/4mY0JA
Threat Report H2 2014 – http://goo.gl/OMSFO9

F-Secure – Switch on freedom
F-Secure is an online security and privacy company from Finland. We offer millions of people around the globe the power to surf invisibly and share stuff, safe from online threats. We are here to fight for digital freedom. Join the movement and switch on freedom.

Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.

f-secure.com | twitter.com/fsecure | facebook.com/f-secure

F-Secure media relations
Adam Pilkey
+ 358 40 6378859

Source: F-Secure


Tags: ,