Cozy Bear, a risk actor supposedly working for the Russian government, managed to undetect cyber espionage activities in recent years by using malware families previously unknown to security researchers.
The group was able to sustain its operation under radar for a long time, using stealthy communication techniques between infected systems and command and control (C2) servers.
Cyber-spy campaigns that probably began in 2013, collectively referred to as “Operation Ghost,” were assigned to this unit, and continued until 2019.
Dukes, APT 29, CozyCar, CozyDuke, Yttrium, Team 100 and Office Monkeys are the names used by security professionals to refer to Cozy Bear.
APT 29 Survivors Recently
ESET researchers monitoring the risk actor identified at least three targets of Operation Ghost, all of them European foreign ministries, including the embassy of the EU in Washington DC.
The victim count is probably bigger, but it is difficult to identify them because the actor of the threat uses different command and control (C2) systems for each target.
The last project credited to Cozy Bear was against the Norwegian government in January 2017.
In November 2018, FireEye reported suspected attacks on more than 20 of its customers across several industries by Cozy Bear phishing. It was not possible to pin them to this individual with high confidence, however, as the malware sample used by the hacker had been available to a public archive for years.
The group’s primary purpose is cyber warfare, and the targets usually are governments in the West and former Soviet States as well as NATO, think-tanks and political parties.
Cozy Bear is an advanced opponent whose activities were first disclosed to the public by Kaspersky researchers who identified the MiniDuke implant in early 2013.
The Group has been operating since at least 2008 and gained increased media attention after it emerged that it was active before the 2016 presidential election in the U.S. in support of the Democratic National Committee.
New Tools for Invasion
The investigators found and analyzed three new malicious tools, which this group uses during several phases of a fantasy surgery:
- PolyglotDuke, the first-stage downloader to the backdoor of the Miniduke.
- RegDuke-a workaround for the first stage when an attacker loses control over other implants on a compromised device.
- FatDuke –backdoor used on high-interest computers, deployed on a MiniDuke or on PsExec in Windows, in the third stage.
The toolset MiniDuke is related to the comfortable bear operation from 2010 to 2015. His software was integrated into the risk of the CosmicDuke.
The correlation between the Ghost Operation Tools and this threat actor is backed up by clear software similitudes with recorded malware samples used in previous campaigns. However, ESET does not exclude a flag operation.
“We cannot discount the possibility of a false flag operation; however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now” – ESET
One characteristic of ESET researchers is that they use social websites and services such as Reddit, Facebook, Imgur, Evernote Public Notes and ImgBB to host URLs from C2 servers.
We monitored this behavior at an early stage in 2014, when a member of the Cozy Bear Group posted an encrypted string message on Reddit that proved to be a C2 database used by PolyglotDuke.
Encoded C2 URL in Reddit comment
F-Secure recorded this strategy with OnionDuke’s malware, another weapon in the arsenal of Dukes. ESET also mentioned it in a 2017 tweet attributed to a Cozy Bear representative.
In addition, ESET analysis revealed similar authentication functions tested by F-Secure in PolyglotDuke and the OnionDuke test.
Custom string encryption in OnionDuke and PolyglotDuke
Upon PolyglotDuke infection, the group moves to RegDuke, which remains silent for as long as possible on the network. It is intended to allow the actor to retain a foothold on the affected host if access to other instruments is lost.
The payload is a file-free backdoor built on the C2 Dropbox. The URL is hidden in the file storage account in seemingly normal images with steganography.
Extracting C2 URL from pixels
The scientists demonstrate that all pixels are coded in 24 bits that correspond to the RGB color pattern, and the’ least significant bit ‘ approach is used to store 8 bits of data in each pixel.
Due to its large (13 MB) scale, FatDuke is “the latest backdoor flagship in the community and only used on the most interesting computers,” the researchers say.
The binary packer offers the uncommon size and incorporates a great deal of code to avoid review and to mask the true functionality. FatDuke would be about 1 MB in size without the extra weight.
ESET analysts say that MiniDuke or lateral movement software such as PsExec usually drop this backdoor. The attacker periodically packages this malware to avoid detection, the last compilation date seen by investigators being May 24, 2019.
In a report today, ESET provides a detailed technical analysis of the Cozy Bear methods newly discovered along with information on LiteDuke, a loophole that has been seen in the attacks of 2015, and has been withdrawn since.
ESET is of the opinion that Operation Ghost campaigns was initiated in 2013 on PolyglotDuke compilation date (Monday 18 November 2013, 10:55:03 UTC).
It shows that actors who threaten not only vanish but quit the game. At least not for state-sponsored critics. If they no longer detect their operation, they must have reassembled their operations, modified the strategy and developed a new toolkit to continue their activities.