A CYBER ESPIONAGE THREAT attacking the White House and US State Department has been discovered by Russian security firm Kaspersky Lab.
The 'CozyDuke' advanced persistent threat (APT) was uncovered by Kaspersky's Global Research and Analysis Team, and is described as worrying owing to its ability to spearphish targets with emails containing a link to a hacked website.
"Sometimes it is a high-profile, legitimate site such as 'diplomacy.pl' hosting a Zip archive," explained Kaspersky researchers Kurt Baumgartner and Costin Raiu in a SecureList blog post.
"The Zip archive contains a RAR SFX which installs the malware and shows an empty PDF decoy."
Kaspersky found that the APT sends out phony flash videos directly as email attachments to dupe victims. One example is Office Monkeys LOL Video.zip, an executable that plays a flash video of a monkey in a suit while dropping and running the CozyDuke executable on the victim's system.
"These videos are quickly passed around offices with delight while systems are infected in the background silently," Kaspersky said. "Many of this APT's components are signed with phony Intel and AMD digital certificates."
Kaspersky said that the operation has other alarming, although "fascinating", aspects, such as cryptography and anti-detection capabilities.
The code hunts through a victim's computer for antivirus products to evade, including suites from Kaspersky, Sophos, DrWeb, Avira, Crystal and Comodo.
The file does this by collecting system information and invoking a WMI instance in the root\securitycenter namespace to identify security products installed on the system. Kaspersky said this indicates that the code was built for x86 systems.
Another interesting aspect is that the APT has strong functional and structural malware similarities with early MiniDuke second-stage components, along with more recent CosmicDuke and OnionDuke cyber espionage campaigns, believed to have Russian-speaking authors behind them.
Kaspersky said that the CozyDuke author is behind other APTs, including a computer network hack at the White House in October 2014 and attacks on the State Department in November 2014, which forced the closure of its email system, and again in February 2015. µ
Study confuses technological advancement with magic wishing tree
On average, companies have stories around £46,000 in virtual currencies
Unannounced chip will offer 'higher peak GPU and CPU clock speeds'
We'll stick with the dongle, cheers