Voice calls aren’t usually thought of as a vehicle for malware attacks, but researchers at security vendor Palo Alto Networks have discovered an email campaign that started last week against governments and think tanks that includes a .wav file purporting to be a call from a reporter.
The file is a diversion: When a user clicks on it to play the recording — a woman claiming to be a reporter looking for commentary — a malware file is being dropped in the background.
Palo Alto believes the so-called CozyDuke/CozyCar threat actors are behind this campaign, which uses compromised, legitimate websites for spear phishing and command and control activity. The malware .zip files are delivered to the target from the compromised Web sites or phishing.
This particular campaign, which researchers think the authors call miniDionis after strings left in their code, is a variant of the SeaDuke Trojan described earlier this week by Symantec. The malware hides behind numerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive information such as email from the victim’s computer, Symantec said.
According to Symantec news of the Duke group first emerged in the spring when reports detailing attacks involving a sophisticated threat actor variously called Office Monkeys, EuroAPT, Cozy Bear, and Cozyduke were published. Symantec believes that this group has a history of compromising governmental and diplomatic organizations since at least 2010.
The group began its current campaign as early as March 2014, when Trojan.Cozer (aka Cozyduke) was identified on the network of a private research institute in Washington, D.C. Symantec says the Duke group began to target victims with emails of so-called “Office Monkeys” videos- and “eFax”-themed emails, booby-trapped with a Cozyduke payload.
“The actors behind the CozyDuke framework are highly sophisticated, motivated, and have become increasingly bold in their campaigns,” says Palo Alto.
It recommends security practitioners review the Indicators of Compromise (IoCs) it has found to ensure they have not been targets in this campaign, and add the appropriate security controls to prevent future attacks.
“This group is reliant on social engineering,” it adds, “and thus, user education remains of paramount importance.