U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cozy Bear targets NGOs and Think Tanks in post-election attacks

Cozy Bear launched new spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware. Trump is the new US President, a few hours after he won the election, a hacking crew powered several spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware. The security experts believe […]

Cozy Bear targets NGOs and Think Tanks in post-election attacks

Cozy Bear launched new spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

Trump is the new US President, a few hours after he won the election, a hacking crew powered several spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

The security experts believe the attacks were powered by the notorious ATP Cozy Bear, also known as APT29 and CozyDuke. The CozyDuke is one of the groups involved in the Democratic National Committee (DNC) is considered by several security experts a group of Russian state-sponsored hackers.

According to the security firm Volexity, a few hours after the election people associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US Government were targeted by malicious messages sent by the Cozy Bear hackers.

“Three of the five attack waves contained links to download files from domains that the attackers appear to have control over,” reads a blog post published by Volexity. “The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves was slightly different from one another.”

cozy bear spear-phishing-attack-examples

The researchers spotted at least five different waves of phishing attacks targeting people who work for organizations, including the RAND Corporation, Radio Free Europe/Radio Liberty, the Atlantic Council, and the State Department, among others.

The attackers used Gmail accounts that were specifically created for the phishing campaign and other compromised email accounts at Harvard University’s Faculty of Arts and Sciences (FAS).

They attackers used malicious attachments or emails embedding a malicious link to deliver on the victim’s machine a backdoor dubbed PowerDuke. PowerDuke is a high-sophisticated backdoor that could allow gaining full control of the infected machine implementing complex evasion techniques.

“The PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a system. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM capabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information about the system.” continues the post.

PowerDuke leverages on steganography to hide the components of the backdoor in PNG files. The backdoor code would exist only in memory after being loaded into rundll32.exe.

Clearly, the attackers tried to exploit the media attention of the Presidential election and its results. In particular, the attackers were interested in targeting people working for the US government that were concerned about Trump’s victory.

The experts noticed that attackers sent messages that pretend to be originated from organizations like the Clinton Foundation that were providing further details on the reason for the defeat.

The experts revealed the emails were sent from an email address of a professor at Harvard that was likely compromised by Cozy Bear hackers.

The emails observed the spear phishing messages embedding malicious links to .ZIP files or malicious Windows shortcut files linked to a “clean” Rich Text Format document and a PowerShell script.

“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cozy Bear, Donald Trump)