The CozyDuke APT

no-image

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

The operation presents several interesting aspects

  • blatantly sensitive high profile victims and targets
  • crypto and anti-detection capabilities
  • strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components

The actor often spearphishes targets with e-mails containing a link to a hacked website. Sometimes it is a high profile, legitimate site such as “diplomacy.pl”, hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy.

monkeys

In other highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is “Office Monkeys LOL Video.zip”. The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently. Many of this APT’s components are signed with phony Intel and AMD digital certificates.

Recent Cozyduke APT activity attracted significant attention in the news:
Sources: State Dept. hack the ‘worst ever’
White House computer network ‘hacked’
Three Months Later, State Department Hasn’t Rooted Out Hackers
State Department shuts down its e-mail system amid concerns about hacking

Let’s examine a smattering of representative CozyDuke files and data. There is much to their toolset.

Office Monkeys dropper analysis
The droppers and spyware components often maintain fairly common characteristics
68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip

Believe it or not, recipients in bulk run the file within:
95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe
 
This file in turn drops two executables to %temp%

  • 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe
  • 3d3363598f87c78826c859077606e514, player.exe

It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague. It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques:
3d3363598f87c78826c859077606e514,338kb,player.exe,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33

The file collects system information, and then invokes a WMI instance in the root\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here:
SELECT * FROM AntiVirusProduct
SELECT * FROM FireWallProduct

The code hunts for several security products to evade:

  • CRYSTAL
  • KASPERSKY
  • SOPHOS
  • DrWeb
  • AVIRA
  • COMODO Dragon

 
In addition to the WMI/wql use, it also hunts through the “SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\” registry key looking for security products to avoid.
 
Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates. These files are stored within an 217kb encrypted cab file in the dropper’s resources under the name “A”. The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \x36\x11\xdd\x08\xac\x4b\x72\xf8\x51\x04\x68\x2e\x3e\x38\x64\x32.

The cab file is decompressed and its contents are created on disk. These dropped files bundle functionality for both 64bit and 32bit Windows systems:
C:\Documents and Settings\user\Application Data\ATI_Subsystem\
6761106f816313394a653db5172dc487,54kb,amdhcp32.dll  ← 32bit dll,CompiledOn:2014.07.02 21:13:24
d596827d48a3ff836545b3a999f2c3e3,60kb,aticaldd.dll  ← 64bit dll,CompiledOn:2014.07.02 21:13:26
bc626c8f11ed753f33ad1c0fe848d898,285kb,atiumdag.dll ← 32bit dll, 279kb, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26
4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat
 
The code copies rundll32.exe from windows\system32 to its newly created %appdata%\ATI_Subsystem subdirectory as “amdocl_as32.exe” alongside the three dll’s listed above. It runs atiumdag.dll with two parameter values, it’s only export and an arbitrary pid,  i.e.:
“C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32.exe” “C:\Documents and Settings\user\Application Data\ATI_Subsystem\atiumdag.dll””, ADL2_ApplicationProfiles_System_Reload 1684″
 
This dll is built with anti-AV protections as well. However, it looks for a different but overlapping set, and the random duplication suggests that this component was cobbled together with its dropper, partly regionally based on target selection.

  • K7
  • KASPERSKY
  • AVG

 
The code collects information about the system
efd5aba3-6719-4655-8a72-1aa93feefa38C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32exeMyPCuserMicrosoft Windows XP 512600 SP 30 x32Admin192.60.11.1008:11:17:f2:9a:efSophos Anti-Virus

Finally, this process beacons to www.sanjosemaristas.com, which appears to be a site that has been compromised and misused multiple times in the past couple of years.
hxxp://www.sanjosemaristas.com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter’s service name GUID. It uses standard Win32 base cryptography functions to generate a CALG_RC4 session key to encrypt the collected data communications and POSTs it to the server.

Executable-Signing Certificates

Samples are usually signed with a fake certificate – we’ve seen two instances, one AMD and one Intel:

FakeCerts

Configuration files:

Some of the malware uses an encrypted configuration file which is stored on disk as “racss.dat”. This is encrypted by RC4, using key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}. Here’s how it looks decrypted:

CDconfig

C&Cs:

121.193.130.170:443/wp-ajax.php
183.78.169.5:443/search.php
200.119.128.45:443/mobile.php
200.125.133.28:443/search.php
200.125.142.11:443/news.php
201.76.51.10:443/plugins/json.php
202.206.232.20:443/rss.php
202.76.237.216:443/search.php
203.156.161.49:443/plugins/twitter.php
208.75.241.246:443/msearch.php
209.40.72.2:443/plugins/fsearch.php
210.59.2.20:443/search.php
208.77.177.24:443/fsearch.php
www.getiton.hants.org.uk:80/themes/front/img/ajax.php
www.seccionpolitica.com.ar:80/galeria/index.php
209.200.83.43/ajax/links.php
209.200.83.43/ajax/api.php
209.200.83.43/ajax/index.php
209.200.83.43/ajax/error.php
209.200.83.43/ajax/profile.php
209.200.83.43/ajax/online.php
209.200.83.43/ajax/loader.php
209.200.83.43/ajax/search.php

Second stage malware and communications:

The attackers send commands and new modules to be executed to the victims through the C&Cs. The C&C scripts store these temporarily until the next victim connects in local files. We’ve identified two such files:

  • settings.db
  • sdfg3d.db

Here’s how such a database file appears:

db

These are BASE64 encoded and use the same RC4 encryption key as the malware configuration.

Decoding them resulted in the following payloads:

59704bc8bedef32709ab1128734aa846 *ChromeUpdate.ex_
5d8835982d8bfc8b047eb47322436c8a *cmd_task.dll
e0b6f0d368c81a0fb197774d0072f759 *screenshot_task.dll

Decoding them also resulted in a set of tasking files maintaining agent commands and parameter values:

conf.xml

And a set of “reporting” files, maintaining stolen system “info”, error output, and “AgentInfo” output, from victim systems:
DCOM_amdocl_ld_API_.raw
Util_amdave_System_.vol
Last_amdpcom_Subsystem_.max
Data_amdmiracast_API_.aaf
7.txt

screenshot_task.dll is a 32-bit dll used to take a screenshot of the full desktop window and save it as a bitmap in %temp%. The number of times the screenshot is repeated is configurable within the xml task file.

cmd_task.dll is a 32-bit dll that maintains several primitives. It is used to create new processes, perform as a command line shell, and several other tasks.

Each of these payloads is delivered together with a configuration file that explains how to run it, for instance:

decodedConfig

Furthermore, ChromeUpdate is a 64-bit executable (which appears to be a WEXTRACT package) that oddly drops a 32-bit Dll. Cache.dll is simply stored as a cabinet file in the ChromeUpdate’s resource section.

ChromeUpdate.exe starts the file with “rundll32 cache.dll,ADB_Setup”

Cache.dll analysis

cachetable

Cache.dll was written in C/C++ and built with a Microsoft compiler.

Cache.dll code flow overview

  • rc4 decrypt hardcoded c2 and urls
  • resolve hidden function calls
  • collect identifying victim system data
  • encrypt collected data
  • send stolen data to c2 and retrieve commands

Cache.dll code details

Structurally, cache.dll is a fairly large backdoor at 425kb. It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn’t exposed until runtime. No pdb/debug strings are present in the code.

It maintains eight exports, including DllMain:

  • ADB_Add
  • ADB_Cleanup
  • ADB_Initnj
  • ADB_Load
  • ADB_Release
  • ADB_Remove
  • ADB_Setup

ADB_Setup is a entry point that simply spawns another thread and waits for completion.

CacheDLL_ADB_Setup

Above, we see a new thread created with the start address of Cache.dll export  “ADB_Load” by the initial thread.

This exported function is passed control while the initial thread runs a Windows message loop. It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data:

cryptedBlob

The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key “\x8B\xFF\x55\x8B\xEC\x83\xEC\x50\xA1\x84\x18\x03\x68\x33\xC9\x66\xF7\x45\x10\xE8\x1F\x89\x45\xFC\x8B\x45\x14\x56”.

DecryptedBlob

The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality:
InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetSetOptionW
GetAdaptersInfo

Much like the prior office monkey “atiumdag.dll” component, this code collects identifying system information using standard win32 API calls:

  • Computer name – GetComputerNameW
  • User name – GetUserNameW
  • Adapter GUID, ip address, mac address – GetAdaptersInfo
  • Windows version – GetVersionExW

It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls.

Cache.dll connectback urls:
209.200.83.43/ajax/links.php
209.200.83.43/ajax/api.php
209.200.83.43/ajax/index.php
209.200.83.43/ajax/error.php
209.200.83.43/ajax/profile.php
209.200.83.43/ajax/online.php
209.200.83.43/ajax/loader.php
209.200.83.43/ajax/search.php

Observed user-agent string on the wire, but it’s dynamically generated based on the Windows system settings (retrieved using standard win32 api “ObtainUserAgentString”):
“User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)”

Connections with MiniDuke/CosmicDuke/OnionDuke:

One of the second stage modules of Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke. Below we compare Show.dll with the OnionDuke sample MD5: c8eb6040fd02d77660d19057a38ff769. Both have exactly the same export tables and appear to be called internally “UserCache.dll”:

onion

This seems to indicate the authors of OnionDuke and Cozy Bear are the same, or working together.

Another interesting comparison of two other files matches a recent second stage tool from the CozyDuke attacks with a second stage component from other Miniduke/Onionduke attacks.
2e0361fd73f60c76c69806205307ccac, update.dll (Miniduke), 425kb (internal name = “UserCache.dll“)
9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (Cozyduke), 425kb (internal name = “UserCache.dll“)

The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time. The table below presents the function matches based on size data, but the calls, jmps and code all match as well. The contents of only one of these exports in update.dll has no match whatsoever in cache.dll.

exports

Unlike the atiumdag.dll file above, however, cache.dll and update.dll do not maintain anti-AV and anti-analysis functionality sets. Perhaps they plan to pair this stealer with another dropper that maintains the WMI anti-AV functionality.

We expect ongoing and further activity from this group in the near future and variations on the malware used in previous duke-ish incidents.

For more information about MiniDuke, CosmicDuke and OnionDuke, please see References.

Appendix: Parallel and Previous Research

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Securelist, Feb 2013

Miniduke is back: Nemesis Gemina and the Botgen Studio, Securelist, July 2014

MiniDuke 2 (CosmicDuke), CrySyS, July 2014

COSMICDUKE Cosmu with a twist of MiniDuke [pdf], F-Secure, September 2014

THE CASE OF THE MODIFIED BINARIES, Leviathan Security, October 2014

A word on CosmicDuke, Blaze’s Security Blog, September 2014

OnionDuke: APT Attacks Via the Tor Network, F-Secure, November 2014

The Connections Between MiniDuke, CosmicDuke and OnionDuke, F-Secure, January 2015

Read more: The CozyDuke APT

Story added 21. April 2015, content source with full text you can find at link above.