Kaspersky Lab's Global Research and Analysis Team published research which describes a new, advanced espionage campaign that uses malicious software (CozyDuke) to target very specific and high-ranking players. 
US targets are believed to include the White House and the State Department, while the list of attackers also includes government agencies and legal entities / commercial entities in Germany, South Korea and Uzbekistan.
Along with the very precise targeting of high-ranking victims, the threatening player has even more disturbing features.
These include encryption and tracking capabilities. For example, the code "looks for" the instance productof security (from various providers) in order to try to avoid them.
The companies the products are trying to avoid are Kaspersky Lab, Sophos, DrWeb, Avira, Crystal and Comodo Dragon.
Connect with other digital espionage providers
Kaspersky Lab experts revealed the malicious program's robust functionality and structural similarities to the "toolkit" used in the digital espionage campaigns MiniDuke, CosmicDuke and OnionDuke. According to a series of indicators, it is believed that the management of the relevant businesses is made by Russian-speaking creators. Kaspersky Lab's comments indicate that MiniDuke and CosmicDuke are still active and are targeting diplomatic organizations / embassies, energy and hydrocarbon companies, telecommunications providers, military organizations, academics and research institutions in various countries.
Distribution method
The CozyDuke player often attacks his goals through spearphishing email, which contains a link that leads to a broken website (sometimes high profile, legitimate such as diplomacy.pl), which host a ZIP file containing malware. To other highly successful enterprises, this actor sends a fake flash video with malicious executables archives, included as email attachments.
CozyDuke software uses a backdoor and a dropper. The malware sends target information to the Command & Control Server. It also retrieves configuration files and additional drives that perform any additional functionality that attackers need.
"We have been following the MiniDuke and CosmicDuke for two years now. Kaspersky Lab was the first company to warn about the MiniDuke attacks in 2013, with the "oldest" known examples of this digital threat dating back to 2008. CozyDuke is definitely associated with these two campaigns, as well as the action OnionDuke digital espionage. "Each of these threatening agents continues to pursue its own goals, and we believe that all their espionage tools were created by Russian-speakers." Kurt stated Baumgartner, Principal Security Researcher της Παγκόσμιας Ομάδας Έρευνας και Ανάλυσης της Kaspersky Lab,
Kaspersky Lab products detect all known threats and protect users.
Tips for users
- Do not open attachments and links from senders you do not know
- Scan regularly to your computer with an advanced anti-malware solution
- Pay attention to ZIP files containing SFX files
- If you are unsure about the attachment, try opening it in an environment sandbox
- Make sure you have an updated OS system, with all necessary patches installed
- Update all third-party applications, such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader
More information about the "CozyDuke" action is available on the site Securelist.com.
