White House cyber attackers linked to OnionDuke APT actor

“It’s widely believed that the October 2014 breaches of US State Department and White House computer systems have been executed by Russian hackers. Kaspersky Lab researchers have recently shared more details about the malware used in the attacks.

The compromise of the “blatantly sensitive high profile victims and targets” would usually begin with spear-phishing emails containing a link to a compromised website.

“Sometimes it is a high profile, legitimate site such as ‘diplomacy.pl’, hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy,” the researchers noted. In other runs, a boobytrapped Flash video would be included in the email.

“A clever example is ‘Office Monkeys LOL Video.zip’. The executable within not only plays a Flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently,” they explained.

In this campaign, dubbed CozyDuke due to its similarities with those run by the MiniDuke/OnionDuke APT actors, the attackers would deliver a dropper equipped with anti-detection techniques to the targeted system.

The dropper would ultimately download additional malicious files signed with fake Intel and AMD digital certificates (click on the screenshot to enlarge it):

This malware would collect information about the system and send it to a server controlled by the attackers.

Other modules would then be downloaded form the server and executed, including a backdoor, and a data-stealing and a desktop screenshot-taking module.

“One of the second stage modules of CozyDuke, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke,” the researchers noted. “This seems to indicate the authors of OnionDuke and CozyDuke/Cozy Bear are the same, or working together.”

For additional (and extensive) technical details about the campaign and malware used, check out Kaspersky’s blog post.”

Don't miss