Intelligence

Cozy Bear targets NGOs and Think Tanks in post-election attacks

Cozy Bear launched new spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

Trump is the new US President, a few hours after he won the election, a hacking crew powered several spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

The security experts believe the attacks were powered by the notorious ATP Cozy Bear, also known as APT29 and CozyDuke. The CozyDuke is one of the groups involved in the Democratic National Committee (DNC) is considered by several security experts a group of Russian state-sponsored hackers.

According to the security firm Volexity, a few hours after the election people associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US Government were targeted by malicious messages sent by the Cozy Bear hackers.

“Three of the five attack waves contained links to download files from domains that the attackers appear to have control over,” reads a blog post published by Volexity. “The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves was slightly different from one another.”

The researchers spotted at least five different waves of phishing attacks targeting people who work for organizations, including the RAND Corporation, Radio Free Europe/Radio Liberty, the Atlantic Council, and the State Department, among others.

The attackers used Gmail accounts that were specifically created for the phishing campaign and other compromised email accounts at Harvard University’s Faculty of Arts and Sciences (FAS).

They attackers used malicious attachments or emails embedding a malicious link to deliver on the victim’s machine a backdoor dubbed PowerDuke. PowerDuke is a high-sophisticated backdoor that could allow gaining full control of the infected machine implementing complex evasion techniques.

“The PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a system. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM capabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information about the system.” continues the post.

PowerDuke leverages on steganography to hide the components of the backdoor in PNG files. The backdoor code would exist only in memory after being loaded into rundll32.exe.

Clearly, the attackers tried to exploit the media attention of the Presidential election and its results. In particular, the attackers were interested in targeting people working for the US government that were concerned about Trump’s victory.

The experts noticed that attackers sent messages that pretend to be originated from organizations like the Clinton Foundation that were providing further details on the reason for the defeat.

The experts revealed the emails were sent from an email address of a professor at Harvard that was likely compromised by Cozy Bear hackers.

The emails observed the spear phishing messages embedding malicious links to .ZIP files or malicious Windows shortcut files linked to a “clean” Rich Text Format document and a PowerShell script.

“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cozy Bear, Donald Trump)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

7 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

21 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.