F-Secure Labs’ latest white paper highlights CozyDuke as part of an ongoing series of Advanced Persistent Threats targeting governments and other large organizations.
A new malware analysis from F-Secure Labs points to CozyDuke as a continuing 
menace facing governments and other large organizations. CozyDuke is an Advanced Persistent Threat (APT) toolkit that uses combinations of tactics and malware to compromise and steal information from its targets, and the new analysis links it to other APTs responsible for a number of high profile attacks.
According to the analysis, CozyDuke shares command and control resources with the prominent MiniDuke and OnionDuke APTs. F-Secure Labs has attributed several high-profile attacks to these APT platforms, including malicious attacks against people using a Russian Tor exit node, and targeted attacks against NATO and a number of European government agencies.* CozyDuke utilizes much of the same infrastructure as these other platforms and employs components with encryption algorithms similar to those used by OnionDuke, linking the same technology to different campaigns.
“All of these threats are related to one another and share resources, but they’re built a little bit differently to make them more effective against particular targets”, says F-Secure Security Advisor Sean Sullivan. “The interesting thing about CozyDuke is that it’s being used against a more diverse range of targets. Many of its targets are still Western governments and institutions, but we’re also seeing it being used against targets based in Asia, which is a notable observation to make”.
CozyDuke and its associates are believed to originate from Russia**. The attackers establish a beachhead in an organization by tricking employees into doing something such as opening an attachment in an e-mail that distracts users with a decoy file (like a PDF or a video), allowing CozyDuke to infect their system without being noticed. Attackers can then perform a variety of tasks by using different payloads compatible with CozyDuke, and this can let them gather passwords and other sensitive information, remotely execute commands, or intercept confidential communications.
Sullivan acknowledges there’s not yet sufficient evidence to definitively conclude what the attackers’ true identities and motives are, but he is quite confident that they are the same people responsible for attacks attributed to OnionDuke and MiniDuke. “CozyDuke has actually been around since 2011, but it’s something that’s been developing so it keeps on changing. This tells us that a group or groups have been investing time and money to nurture these tools, so figuring out what they’re after now is really what we need to be focusing on”.
The white paper also notes that CozyDuke checks for cyber security software before establishing its infection, and certain types of software can cause it to abandon the attack. The white paper, penned by F-Secure Threat Intelligence Analyst Artturi Lehtiö, is free and available for download from F-Secure’s website.
