This whitepaper provides an overview of CozyDuke, a set of tools used by one or more malicious actors for performing targeted attacks against high profile organizations, such as governmental organizations and other entities that work closely with these institutions.
The CozyDuke toolset, which we believe has been under active development since at least 2011, consists of tools for infecting targeted hosts, establishing and maintaining backdoor access to the hosts, gathering information from them and gaining further access to other hosts inside the victim organization.
Based on command and control (C&C) server information found being used by CozyDuke tools, we believe the CozyDuke toolset is used by at least one malicious actor who also uses, or at the least shares infrastructure with actors using the known threats, MiniDuke and OnionDuke.
Two years ago, we found a malware called Janicab. It targets both Mac and Windows OSes using Python and VBS scripts, respectively.
For Windows OS, this malware was delivered via a document that exploited CVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell Link (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until recently.
There are several tricks the dropper uses for obfuscating its purpose:
- Filename with double extension (Example: .jpg.lnk or .doc.lnk) - Using the icon of notepad.exe (instead of the default, cmd.exe) - Possibly sensitive data zeroed out, for example, machine identifier and relative path
But the most interesting part is the use of an undocumented method for hiding the command line argument string from Windows explorer. Typically, the target and its arguments are visible in Windows explorer as a single string in the shortcut properties, when the user right-clicks on the shortcut icon. However, the command line argument is not visible in this scenario.
Within the LNK, there is a hidden command line argument which consists of a series of shell commands glued together with an &-operator.
Here's the list of the commands that essentially does the dropping and execution of the malicious VBE:
The malware script is encoded using the Microsoft Script Encoder, and is embedded at the end of the LNK file.
The script drops decoy files such as these upon execution:
Like the previous variants, Janicab still uses third-party web services such as Youtube for getting its C&C.
It used to be that the actual C&C IPs were shown in Youtube. But as seen above, the malware authors have attempted to obscure the C&C. The recent variant gathers the number in the comments using the format "our (.*)th psy anniversary".
The actual IP is obtained by dividing and converting the numbers found in the web services.
Another change found in this variant is the dropping of a copy of snapIt.exe in %UserProfile$\SystemFolder. This application is used by Janicab to capture screenshots and save them as ~PF214C.tmp.
It also now checks for signs of being run in virtual machines such as VirtualBox, Parallels and VMWare. As well as, checks if it's running in an analysis machine by looking at these running processes.
Here is the list of C&Cs we've seen so far for this variant: • 18.104.22.168 • 22.214.171.124 • 126.96.36.199 • 188.8.131.52
With the following C&C communication formats: • [C&C]/Status2.php - Check C&C status • [C&C]/a.php?id=[SerialIDfromCnC]&v=[malware_version]&av=[InstalledAV] - Inform that cookies and decoy have been deleted • [C&C]/gid.php?action=add&cn=[ComputerName]&un=[UserName]&v=[malware_version]&av=[InstalledAV]&an=[notifyName] - Get Serial ID • [C&C]/rit.php?cn=[ComputerName]&un=[UserName]&an=[notifyName]&id=[SerialIDfromCnC]&r=[VMorRunningProcessName] - Inform running analysis process or sandbox environment • [C&C]/sm.php?data=[InstalledAV] - Obtain startup mechanism • [C&C]/c.php?id=[SerialIDfromCnC] - Get commands • [C&C]/rs.php - Send screenshot • [C&C]/rk.php - Send data • [C&C]/d.php?f=[Base64EncodedData] - Download file
The samples are detected as Trojan-Dropper:W32/Janicab.A.
Journalist John Leyden recently contacted us for our opinion on vulnerability research by Tom Forbes. The focus of Forbes' research was Dell's "System Detect" utility and a flaw that allows for remote code execution. Forbes reported his findings last November and Dell mitigated the issue in January (and also again last week).
But a significant problem remains from our point of view.
Older versions of the software don't update themselves and there remains a lot of vulnerable computers out there. Over time, our customers have scanned various versions of System Detect many hundreds of thousands of times. It's very prevalent software. From just our customer base statistics within the last two weeks, we can see approximately 100,000 customers queried reputation checks on System Detect. Only about one percent of our customers are now running the latest version (6.0.14, represented by red in the chart below).
Older versions of System Detect create a run key in the registry that starts the service automatically. So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.
Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain. Exactly where in the URL varies depending on the version of the software.
We used Forbe's research and our own black-box testing to run three versions of System Detect, observing network traffic and replaying the same traffic with small modifications. We confirmed the older versions can be used to launch calc.exe from a targeted machine (i.e., Remote Code Execution).
For the 184.108.40.206 version, the domain part of the referer-field's URL needs to contain "dell.com" but it accepts also "www.notreallydell.com", so it's highly vulnerable.
Version 6.0.9 was released after Forbes reported the issue to Dell. It requires that the domain contains ".dell.". This means it also accepts "a.dell.fakesite.ownedbythebadguys.com", so it's also just as vulnerable to a web-based attack.
The current version, 6.0.14, requires that the domain is "*.dell.com" which more or less addresses the problem, especially when combined with the lack of autostart. If you need to have a version installed, it should be this one.
Older versions should definitely be uninstalled as soon as possible.