Kaspersky has been on a tear in recent months, making headlines all over the world for its efforts in aiding those hit by ransomware and pointing out the NSA's continued technological oversteps. It's not stopping there though and has today broken down a new digital infection known as CozyDuke, CozyBear or CozyCar and it's hit such high profile targets as the White House and the Department of State in the past few months, among undoubtedly many thousands of others.
The method of attack is quite a typical one. Email attachments with hidden purpose, or links to legitimate websites with infected archives and in some instances a fake flash video. Regardless of how the infection is achieved however, once it's in place it runs the CozyDuke executable, which is designed to steal data from the local system and the network if it can.
What's impressive about the CozyDuke threat however – beyond its sophistication – is its ability to run multiple malware stages throughout its lifespan. Once in place, those behind the nefarious sotware can run secondary malware that captures keystrokes and screenshots of what's happening at particular moments, thereby allowing those behind the attack to discover even more about the infected system and the user(s).
To avoid detection, the software scans for anti-virus and anti-malaware tools and slips past their nets where possible. It also uses phony AMD and Intel certificates to trick other aspects of the system into thinking it's a legitimate process.
For a more thorough breakdown, SecureList has a comprehensive look at how the malware works and how best to avoid it.
Discuss on our Facebook page, HERE.
KitGuru Says: No wonder the White House was hit by this infection. A funny flash video? Who can resist clicking on that.