CozyDuke malware is being used to spy on high profile US organizations


Photo by PBCrichton,openclipart

An advanced threat dubbed CozyDuke is being used to spy on high profile US government organizations. This type of attack is not new as it dates back as far as 2011. According to credible sources, it is believed that the White House and US Department of State were victims in a recent incident involving CozyDuke. It is no surprise the hackers are targeting important organizations since several million dollars or more is there for the taking.

CozyDuke uses spear phishing to target individuals by use of an infected link that redirects to a hacked website. The e-mails often link to seemingly legitimate sites such as “” that hosts an infected zip archive containing an RAR SFX file that installs malware. The hackers also send E-Mails with .zip flash video attachments (office monkey video) that drops a CozyDuke malware executable on your system.

CozyDuke is a unique, sophisticated threat

CozyDuke exemplifies several unique characteristics and is sophisticated in its malicious operation. A couple of key elements are at play with this threat being that:

  • It targets high profile victims.
  • It has evolving crypto and anti-detection capabilities
  • It represents a multi-stage malware attack.

Monkeys.exe and player.exe are the two malware executables dropped by the malicious payload to the %temp% directory after initial infection. Monkeys.exe is first launched followed by the CozyDuke dropper that utilizes anti-detection based tactics. Afterwards, the malicious threat uses a WMI instance in the root\security center namespace in order to discover which security product you currently have installed. Several notable security products are included in this list such as Kaspersky, Dr Web, and Avira.

Several malware files falsely signed with an AMD digital signature are dropped into a directory the malware creates. These files are then encrypted using an xor cipher and stored on the disk. Commands are then sent to the victims by the command and control server which means you have been compromised. CozyDuke aims to steal sensitive information and banking details by capturing keystrokes and taking screenshots.

According to the researchers:

“CozyDuke’s custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography, and trojan functionality changing per operation. This rapid development and deployment reminds us of the APT28/Sofacy toolset”.

How do I avoid being infected by CozyDuke?

  •  Never open E-Mail attachments from an unknown source.
  • Beware of zip archives with SFX files inside.
  • Keep your operating system and software up-to-date.
  • Run regular antivirus scans on your PC.

Have a safe (malware-free) day!