Intelligence

Cozy Bear targets NGOs and Think Tanks in post-election attacks

Cozy Bear launched new spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

Trump is the new US President, a few hours after he won the election, a hacking crew powered several spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

The security experts believe the attacks were powered by the notorious ATP Cozy Bear, also known as APT29 and CozyDuke. The CozyDuke is one of the groups involved in the Democratic National Committee (DNC) is considered by several security experts a group of Russian state-sponsored hackers.

According to the security firm Volexity, a few hours after the election people associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US Government were targeted by malicious messages sent by the Cozy Bear hackers.

“Three of the five attack waves contained links to download files from domains that the attackers appear to have control over,” reads a blog post published by Volexity. “The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves was slightly different from one another.”

cozy bear spear-phishing-attack-examplescozy bear spear-phishing-attack-examples

The researchers spotted at least five different waves of phishing attacks targeting people who work for organizations, including the RAND Corporation, Radio Free Europe/Radio Liberty, the Atlantic Council, and the State Department, among others.

The attackers used Gmail accounts that were specifically created for the phishing campaign and other compromised email accounts at Harvard University’s Faculty of Arts and Sciences (FAS).

They attackers used malicious attachments or emails embedding a malicious link to deliver on the victim’s machine a backdoor dubbed PowerDuke. PowerDuke is a high-sophisticated backdoor that could allow gaining full control of the infected machine implementing complex evasion techniques.

“The PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a system. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM capabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information about the system.” continues the post.

PowerDuke leverages on steganography to hide the components of the backdoor in PNG files. The backdoor code would exist only in memory after being loaded into rundll32.exe.

Clearly, the attackers tried to exploit the media attention of the Presidential election and its results. In particular, the attackers were interested in targeting people working for the US government that were concerned about Trump’s victory.

The experts noticed that attackers sent messages that pretend to be originated from organizations like the Clinton Foundation that were providing further details on the reason for the defeat.

The experts revealed the emails were sent from an email address of a professor at Harvard that was likely compromised by Cozy Bear hackers.

The emails observed the spear phishing messages embedding malicious links to .ZIP files or malicious Windows shortcut files linked to a “clean” Rich Text Format document and a PowerShell script.

“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cozy Bear, Donald Trump)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web

Resecurity researchers found 7.4 million records containing personally identifiable information (PII) of Paraguay citizens on…

7 hours ago

Apple confirmed that Messages app flaw was actively exploited in the wild<gwmw style="display: none; background-color: transparent;"></gwmw>

Apple confirmed that a security flaw in its Messages app was actively exploited in the…

14 hours ago

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

17 hours ago

Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Security researchers at Citizen Lab revealed that Paragon's Graphite spyware can hack fully updated iPhones…

1 day ago

SinoTrack GPS device flaws allow remote vehicle control and location tracking

Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by…

2 days ago