# The CozyDuke APT - Securelist [securelist.com](http://securelist.com/blog/69731/the-cozyduke-apt/) Updated Apr 21st, 2015 # The CozyDuke APT CozyDuke (aka CozyBear, CozyCar or "Office Monkeys") is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims. The operation presents several interesting aspects blatantly sensitive high profile victims and targets crypto and anti-detection capabilities strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components The actor often spearphishes targets with e-mails containing a link to a hacked website. Sometimes it is a high profile, legitimate site such as "diplomacy.pl", hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy. In other highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is "Office Monkeys LOL Video.zip". The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently. Many of this APT's components are signed with phony Intel and AMD digital certificates. Recent Cozyduke APT activity attracted significant attention in the news: Sources: State Dept. hack the 'worst ever' ----- State Department shuts down its e mail system amid concerns about hacking Let's examine a smattering of representative CozyDuke files and data. There is much to their toolset. **Office Monkeys dropper analysis** The droppers and spyware components often maintain fairly common characteristics 68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip Believe it or not, recipients in bulk run the file within: 95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe This file in turn drops two executables to %temp% 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe 3d3363598f87c78826c859077606e514, player.exe It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague. It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques: 3d3363598f87c78826c859077606e514,338kb,player.exe,Trojan.Win32.CozyBear.v,CompiledOn:2014.07. 02 21:13:33 The file collects system information, and then invokes a WMI instance in the root\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here: SELECT * FROM AntiVirusProduct SELECT * FROM FireWallProduct The code hunts for several security products to evade: CRYSTAL KASPERSKY SOPHOS DrWeb AVIRA COMODO Dragon In addition to the WMI/wql use, it also hunts through the "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" registry key looking for security products to avoid. Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates. These files are stored within an 217kb encrypted cab file in the dropper's resources under the name "A". The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \x36\x11\xdd\x08\xac\x4b\x72\xf8\x51\x04\x68\x2e\x3e\x38\x64\x32. The cab file is decompressed and its contents are created on disk. These dropped files bundle functionality for both 64bit and 32bit Windows systems: C:\Documents and Settings\user\Application Data\ATI_Subsystem\ 6761106f816313394a653db5172dc487,54kb,amdhcp32.dll ← 32bit dll,CompiledOn:2014.07.02 21:13:24 d596827d48a3ff836545b3a999f2c3e3,60kb,aticaldd.dll ← 64bit dll,CompiledOn:2014.07.02 21:13:26 bc626c8f11ed753f33ad1c0fe848d898,285kb,atiumdag.dll ← 32bit dll, 279kb, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26 4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat ----- parameter values, it's only export and an arbitrary pid, i.e.: "C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32.exe" "C:\Documents and Settings\user\Application Data\ATI_Subsystem\atiumdag.dll"", ADL2_ApplicationProfiles_System_Reload 1684" This dll is built with anti-AV protections as well. However, it looks for a different but overlapping set, and the random duplication suggests that this component was cobbled together with its dropper, partly regionally based on target selection. KASPERSKY The code collects information about the system efd5aba3-6719-4655-8a72-1aa93feefa38C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32exeMyPCuserMicrosoft Windows XP 512600 SP 30 x32Admin192.60.11.1008:11:17:f2:9a:efSophos Anti-Virus Finally, this process beacons to www.sanjosemaristas.com, which appears to be a site that has been compromised and misused multiple times in the past couple of years. hxxp://www.sanjosemaristas.com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter's service name GUID. It uses standard Win32 base cryptography functions to generate a CALG_RC4 session key to encrypt the collected data communications and POSTs it to the server. **Executable-Signing Certificates** Samples are usually signed with a fake certificate - we've seen two instances, one AMD and one Intel: **Configuration files:** Some of the malware uses an encrypted configuration file which is stored on disk as "racss dat" This is ----- **C&Cs:** 121.193.130.170:443/wp-ajax.php 183.78.169.5:443/search.php 200.119.128.45:443/mobile.php 200.125.133.28:443/search.php 200.125.142.11:443/news.php 201.76.51.10:443/plugins/json.php 202.206.232.20:443/rss.php 202.76.237.216:443/search.php 203.156.161.49:443/plugins/twitter.php 208.75.241.246:443/msearch.php 209.40.72.2:443/plugins/fsearch.php 210.59.2.20:443/search.php 208.77.177.24:443/fsearch.php www.getiton.hants.org.uk:80/themes/front/img/ajax.php www.seccionpolitica.com.ar:80/galeria/index.php 209.200.83.43/ajax/links.php 209.200.83.43/ajax/api.php 209.200.83.43/ajax/index.php 209.200.83.43/ajax/error.php 209.200.83.43/ajax/profile.php 209.200.83.43/ajax/online.php 209.200.83.43/ajax/loader.php 209.200.83.43/ajax/search.php ----- C&C scripts store these temporarily until the next victim connects in local files. We've identified two such files: settings.db sdfg3d.db Here's how such a database file appears: These are BASE64 encoded and use the same RC4 encryption key as the malware configuration. Decoding them resulted in the following payloads: 59704bc8bedef32709ab1128734aa846 *ChromeUpdate.ex_ 5d8835982d8bfc8b047eb47322436c8a *cmd_task.dll e0b6f0d368c81a0fb197774d0072f759 *screenshot_task.dll Decoding them also resulted in a set of tasking files maintaining agent commands and parameter values: conf.xml And a set of "reporting" files, maintaining stolen system "info", error output, and "AgentInfo" output, from victim systems: DCOM_amdocl_ld_API_.raw Util_amdave_System_.vol Last_amdpcom_Subsystem_.max Data_amdmiracast_API_.aaf 7.txt screenshot_task.dll is a 32-bit dll used to take a screenshot of the full desktop window and save it as a bitmap in %temp%. The number of times the screenshot is repeated is configurable within the xml task file. cmd_task.dll is a 32-bit dll that maintains several primitives. It is used to create new processes, perform as a command line shell, and several other tasks. Each of these payloads is delivered together with a configuration file that explains how to run it, for instance: ----- Furthermore, ChromeUpdate is a 64-bit executable (which appears to be a WEXTRACT package) that oddly drops a 32-bit Dll. Cache.dll is simply stored as a cabinet file in the ChromeUpdate's resource section. ChromeUpdate.exe starts the file with "rundll32 cache.dll,ADB_Setup" **Cache.dll analysis** Cache.dll was written in C/C++ and built with a Microsoft compiler. Cache.dll code flow overview rc4 decrypt hardcoded c2 and urls resolve hidden function calls collect identifying victim system data encrypt collected data send stolen data to c2 and retrieve commands **Cache.dll code details** Structurally, cache.dll is a fairly large backdoor at 425kb. It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn't exposed until runtime. No pdb/debug strings are present in the code. It maintains eight exports, including DllMain: ADB_Add ADB_Cleanup ADB_Initnj ADB_Load ADB_Release ADB_Remove ADB_Setup ADB_Setup is a entry point that simply spawns another thread and waits for completion. ----- Above, we see a new thread created with the start address of Cache.dll export "ADB_Load" by the initial thread. This exported function is passed control while the initial thread runs a Windows message loop. It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data: The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key "\x8B\xFF\x55\x8B\xEC\x83\xEC\x50\xA1\x84\x18\x03\x68\x33\xC9\x66\xF7\x45\x10\xE8\x1F\x89\x45\xF C\x8B\x45\x14\x56". ----- The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality: InternetCloseHandle InternetReadFile HttpSendRequestA HttpOpenRequestA HttpQueryInfoA InternetConnectA InternetCrackUrlA InternetOpenA InternetSetOptionW GetAdaptersInfo Much like the prior office monkey "atiumdag.dll" component, this code collects identifying system information using standard win32 API calls: Computer name - GetComputerNameW User name - GetUserNameW Adapter GUID, ip address, mac address - GetAdaptersInfo Windows version - GetVersionExW It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls. Cache.dll connectback urls: 209.200.83.43/ajax/links.php 209.200.83.43/ajax/api.php 209.200.83.43/ajax/index.php 209.200.83.43/ajax/error.php 209.200.83.43/ajax/profile.php 209.200.83.43/ajax/online.php 209.200.83.43/ajax/loader.php 209.200.83.43/ajax/search.php Observed user-agent string on the wire, but it's dynamically generated based on the Windows system settings (retrieved using standard win32 api "ObtainUserAgentString"): "U A t M ill /4 0 ( tibl MSIE 6 0 Wi d NT 5 1 SV1 NET CLR 2 0 50727 NET CLR ----- **Connections with MiniDuke/CosmicDuke/OnionDuke:** One of the second stage modules of Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke. Below we compare Show.dll with the OnionDuke sample MD5: c8eb6040fd02d77660d19057a38ff769. Both have exactly the same export tables and appear to be called internally "UserCache.dll": This seems to indicate the authors of OnionDuke and Cozy Bear are the same, or working together. Another interesting comparison of two other files matches a recent second stage tool from the CozyDuke attacks with a second stage component from other Miniduke/Onionduke attacks. 2e0361fd73f60c76c69806205307ccac, update.dll (Miniduke), 425kb (internal name = "UserCache.dll") 9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (Cozyduke), 425kb (internal name = "UserCache.dll") The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time. The table below presents the function matches based on size data, but the calls, jmps and code all match as well. The contents of only one of these exports in update.dll has no match whatsoever in cache.dll. ----- Unlike the atiumdag.dll file above, however, cache.dll and update.dll do not maintain anti-AV and antianalysis functionality sets. Perhaps they plan to pair this stealer with another dropper that maintains the WMI anti-AV functionality. We expect ongoing and further activity from this group in the near future and variations on the malware used in previous duke-ish incidents. For more information about MiniDuke, CosmicDuke and OnionDuke, please see References. **Appendix: Parallel and Previous Research** The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Securelist, Feb 2013 Miniduke is back: Nemesis Gemina and the Botgen Studio, Securelist, July 2014 MiniDuke 2 (CosmicDuke), CrySyS, July 2014 COSMICDUKE Cosmu with a twist of MiniDuke [pdf], F-Secure, September 2014 THE CASE OF THE MODIFIED BINARIES, Leviathan Security, October 2014 A word on CosmicDuke, Blaze's Security Blog, September 2014 OnionDuke: APT Attacks Via the Tor Network, F-Secure, November 2014 The Connections Between MiniDuke, CosmicDuke and OnionDuke, F-Secure, January 2015 _Evernote makes it easy to remember things big and small from your everyday life using your computer,_ _tablet, phone and the web._ [Terms of Service](https://evernote.com/tos/) [Privacy Policy](https://evernote.com/privacy/) -----