Cyber-espionage operations from Cozy Bear, a threat actor believed to work for the Russian government, continued undetected for the past years by using malware families previously unknown to security researchers.

Relying on stealthy communication techniques between infected systems and the command and control (C2) servers, the group managed to keep their activity under the radar for a long time.

Cyber-espionage campaigns that likely started in 2013, collectively named "Operation Ghost," have been attributed to this group, and continued through 2019.

Names that security professionals use to refer to Cozy Bear include Dukes, APT 29, CozyCar, CozyDuke, Yttrium, Group 100, and Office Monkeys.

Recent APT 29 victims

Researchers at ESET tracking this threat actor found at least three victims of Operation Ghost, all being European Ministries of Foreign Affairs including the Washington DC embassy of a European Union country.

The victim count is likely larger but identifying them is difficult because the threat actor uses unique command and control (C2) infrastructure for each target.

The last campaign attributed to Cozy Bear is from January 2017 against the Norwegian government.

In November 2018 FireEye reported suspected Cozy Bear phishing attacks on more than 20 of its customers across multiple industries. Pinning them to this actor with high confidence was not possible, though, because the malware sample used by the attacker had been available for years in a public repository.

The primary purpose of the group is cyber espionage and the targets are typically governments in the West and former USSR countries as well as organizations connected to NATO, think tanks, and political parties.

Cozy Bear is a sophisticated adversary whose operations were first disclosed to the public in early 2013 by researchers at Kaspersky who described the MiniDuke implant.

The group has been active since at least 2008 and attracted wider media attention after it emerged that it was involved in hacking the Democratic National Committee before the 2016 presidential elections in the U.S.

New intrusion tools

The researchers found and analyzed three new malicious tools this group deploys in different stages of an Operation Ghost attack:

PolyglotDuke - first-stage downloader that drops the MiniDuke backdoor

RegDuke - a first-stage backdoor used as a backup when attackers lose control of other implants on a compromised machine

FatDuke - backdoor used in the third stage of an attack, deployed on high-interest machines and dropped by MiniDuke or through the PsExec utility in Windows

The MiniDuke toolset is associated with Cozy Bear activity between 2010 to 2015. Its code was incorporated into the CosmicDuke threat.

Linking the Operation Ghost tools to this threat actor is supported by strong code similarities with documented malware samples the group used in previous campaigns. ESET does not exclude a false-flag operation, though.

"We cannot discount the possibility of a false flag operation; however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now" - ESET

Using social websites and services like Reddit, Twitter, Imgur, Evernote public notes, or ImgBB to host URLs to C2 servers is one characteristic of Operation Ghost campaigns, ESET researchers say.

They found an early trace of this activity from 2014 when a Cozy Bear group member published a message on Reddit with an encoded string that proved to be a C2 server used by PolyglotDuke.

Encoded C2 URL in Reddit comment

This tactic was previously documented by F-Secure with the OnionDuke malware, another tool from the Dukes' arsenal. It was also observed by ESET in a tweet from 2017 attributed to a Cozy Bear member.

Furthermore, ESET's analysis found similar encryption functions in PolyglotDuke and the OnionDuke sample analyzed by F-Secure.

Custom string encryption in OnionDuke and PolyglotDuke

Following PolyglotDuke infection, the group moves to RegDuke, which stays silent on the system for as long as possible. Its purpose is to allow the actor to maintain a foothold on the compromised host if access through other tools is lost.

Its payload is a fileless backdoor that relies on Dropbox for C2 communication. The URL is hidden in seemingly normal images in the file storage account using steganography.

Extracting C2 URL from pixels

The researchers explain that every pixel is encoded into 24 bits corresponding to the RGB color model and the "least significant bit" technique is used to store 8 bits of data in each pixel.

FatDuke, named so because of its large size (13MB), "is the current flagship backdoor of the group and is only deployed on the most interesting machines," the researchers say.

The unusual size is given by the binary packer, which adds a lot of code designed to hinder analysis and obfuscate the true functionality. Without the extra weight, FatDuke would be around 1MB in size.

ESET analysts say that this backdoor is typically dropped by MiniDuke or by lateral movement tools like PsExec. The actor packs this malware on a regular basis in order to evade detection, with May 24, 2019, being the most recent compilation date seen by the researchers.

In a report today, ESET provides an in-depth technical analysis of the newly discovered Cozy Bear tools, along with details for LiteDuke, a backdoor seen in 2015 attacks and that appears to have been retired since.

ESET believes Operation Ghost campaigns started in 2013, based on a compilation date for PolyglotDuke (Monday, November 18, 2013, 10:55:03 UTC).

This shows that threat actors do not just disappear from the game or quit. At least not in the case of state-sponsored adversaries. If their activity is no longer detected, they must have regrouped, changed their tactics, and built a new toolset to continue their activity unhindered.