Warning: Voicemail part of malware attack

Voice calls aren’t usually thought of as a vehicle for malware attacks, but researchers at security vendor Palo Alto Networks have discovered an email campaign that started last week against governments and think tanks that includes a .wav file purporting to be a call from a reporter.

The file is a diversion: When a user clicks on it to play the recording — a woman claiming to be a reporter looking for commentary — a malware file is being dropped in the background.

Palo Alto  believes the so-called CozyDuke/CozyCar threat actors are behind this campaign,  which uses compromised, legitimate websites for spear phishing and command and control activity. The malware .zip files are delivered to the target from the compromised Web sites or phishing.

This particular campaign, which researchers think the authors call miniDionis after strings left in their code, is a variant of the SeaDuke Trojan described earlier this week by Symantec.  The malware hides behind numerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive information such as email from the victim’s computer, Symantec said.

According to Symantec news of the Duke group first emerged in the spring when reports detailing attacks involving a sophisticated threat actor variously called Office Monkeys, EuroAPT, Cozy Bear, and Cozyduke were published. Symantec believes that this group has a history of compromising governmental and diplomatic organizations since at least 2010.

The group began its current campaign as early as March 2014, when Trojan.Cozer (aka Cozyduke) was identified on the network of a private research institute in Washington, D.C.  Symantec says the Duke group began to target victims with emails of so-called “Office Monkeys” videos- and “eFax”-themed emails, booby-trapped with a Cozyduke payload.

“The actors behind the CozyDuke framework are highly sophisticated, motivated, and have become increasingly bold in their campaigns,” says Palo Alto.

It recommends security practitioners review the Indicators of Compromise (IoCs) it has found to ensure they have not been targets in this campaign, and add the appropriate security controls to prevent future attacks.

“This group is reliant on social engineering,” it adds, “and thus, user education remains of paramount importance.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web