THE DUKES
KfG7I6
KfG7I6
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>THE</strong> <strong>DUKES</strong> Over 7 years of Russian cyberespionage<br />
20<br />
COZYDUKE<br />
First known activity: January 2010<br />
Most recent known activity: Spring 2015<br />
Other names:<br />
C&C communication methods:<br />
Known toolset components:<br />
CozyBear, CozyCar, Cozer, EuroAPT<br />
HTTP (S), Twitter (backup)<br />
◊ Dropper<br />
◊ Modular backdoor<br />
◊ Multiple persistence components<br />
◊ Information gathering module<br />
◊ Screenshot module<br />
◊ Password stealing module<br />
◊ Password hash stealing module<br />
CozyDuke is not simply a malware toolset; rather,<br />
it is a modular malware platform formed around a<br />
core backdoor component. This component can be<br />
instructed by the C&C server to download and execute<br />
arbitrary modules, and it is these modules that provide<br />
CozyDuke with its vast array of functionality. Known<br />
CozyDuke modules include:<br />
••<br />
Command execution module for executing<br />
arbitrary Windows Command Prompt commands<br />
••<br />
Password stealer module<br />
••<br />
NT LAN Manager (NTLM) hash stealer module<br />
••<br />
System information gathering module<br />
••<br />
Screenshot module<br />
Further reading<br />
1. Artturi Lehtio; F-Secure Labs; CozyDuke;<br />
published 22 April 2015; https://www.f-secure.<br />
com/documents/996508/ 1030745/CozyDuke<br />
(PDF)<br />
2. Kurt Baumgartner, Costin Raiu; Securelist; The<br />
CozyDuke APT; 21 April 2015; https://securelist.<br />
com/blog/research/69731/the-cozyduke-apt/<br />
In addition to modules, CozyDuke can also be<br />
instructed to download and execute other, independent<br />
executables. In some observed cases, these executables<br />
were self-extracting archive files containing common<br />
hacking tools, such as PSExec and Mimikatz, combined<br />
with script files that execute these tools. In other<br />
cases, CozyDuke has been observed downloading and<br />
executing tools from other toolsets used by the Dukes<br />
such as OnionDuke, SeaDuke, and HammerDuke.<br />
EXAMPLES OF COZYDUKE PDB STRINGS<br />
••<br />
E:\Visual Studio 2010\Projects\Agent_NextGen\Agent2011v3\Agent2011\Agent\tasks\bin\<br />
GetPasswords\exe\GetPasswords.pdb<br />
••<br />
D:\Projects\Agent2011\Agent2011\Agent\tasks\bin\systeminfo\exe\systeminfo.pdb<br />
••\\192.168.56.101\true\soft\Agent\tasks\Screenshots\agent_screeshots\Release\agent_<br />
screeshots.pdb