跳到主体内容

The Duke is Back: Kaspersky Lab Discovers New “CozyDuke” Cyberthreat Related to Infamous Miniduke

2015年4月23日

Kaspersky Lab’s Global Research and Analysis Team has published a report describing a new, advanced cyberespionage campaign using malware to hit very specific, high-profile entities

Kaspersky Lab’s Global Research and Analysis Team has published a report describing a new, advanced cyberespionage campaign using malware to hit very specific, high-profile entities. Targets in the U.S. are believed to include the White House and the State Department, while the attacker’s list also includes government organizations and commercial entities in Germany, South Korea and Uzbekistan.

Alongside its very precise targeting of the highest profile victims, the threat actor exhibits other worrying, although fascinating features. These include the use of crypto and anti-detection capabilities. For example, the code hunts for the presence of several security products in order to attempt to evade them, namely: Kaspersky Lab, Sophos, DrWeb, Avira, Crystal and Comodo Dragon.

Connection to other cyberespionage actors

Kaspersky Lab’s security experts uncovered strong malicious program functionality, as well as structural similarities that matched this toolset with the MiniDuke, CosmicDuke and OnionDuke cyberespionage campaigns; operations that, according to a number of indicators, are believed to be managed by Russian-speaking authors. Kaspersky Lab observations show that MiniDuke and CosmicDuke are still active and targeting diplomatic organizations/embassies, energy, oil and gas companies, telecoms, military, and academia/research institutions in a number of countries.

Method of distribution

The CozyDuke actor often spearphishes targets with emails containing a link to a hacked website – sometimes to high profile, legitimate ones such as ‘diplomacy.pl’ – which hosts a ZIP archive rigged with malware. In other highly successful runs, this actor sends out phony flash videos with malicious executables included as email attachments.

CozyDuke use a backdoor and a dropper. The malicious program sends information about the target to the command and control server, and retrieves configuration files and additional modules implementing any extra functionality needed by the attackers.

“We have been monitoring both MiniDuke and CosmicDuke for couple of years. Kaspersky Lab was the first to warn about MiniDuke attacks in 2013, with the “oldest” known samples for this cyberthreat dating back to 2008. CozyDuke is definitely connected to these two campaigns, as well as to the OnionDuke cyberespionage operation. Every one of these threat actors continues to track their targets, and we believe their espionage tools are all created and managed by Russian-speakers,” - says Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team.

Kaspersky Lab’s products detect all the known samples and protect users against this threat.

Tips for users

  • Don’t open attachments and links from people you don’t know
  • Regularly scan your PC with an advanced antimalware solution
  • Beware of ZIP archives with SFX files inside
  • If you are unsure about the attachment, try to open it in a sandbox
  • Make sure you have a modern operating system with all patches installed
  • Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader

To learn more about the “CozyDuke” operation, please read the blog post available at Securelist.com.



The Duke is Back: Kaspersky Lab Discovers New “CozyDuke” Cyberthreat Related to Infamous Miniduke

Kaspersky Lab’s Global Research and Analysis Team has published a report describing a new, advanced cyberespionage campaign using malware to hit very specific, high-profile entities
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻