The discovery of an advanced persistent threat (APT) campaign targeting government departments with malicious 'funny monkey' videos proves people are failing to follow basic cyber best practice, according to experts within the security community.
Kaspersky Great team members Kurt Baumgartner and Costin Raiu reported uncovering the campaign, codenamed CozyDuke, in a threat advisory, warning that the attacks have already hit the White House and US Department of State, on 22 April.
The use of basic phishing tactics caused ripples within the security community. F-Secure security Advisor Sean Sullivan told V3 the campaign is a stark reminder many people are still woefully susceptible to phishing.
"I recall a report on a Chinese APT group that used rather vial bait. Something like cat videos," he said.
"I don't think [the use of funny monkey videos] is odd. If it works, a persistent attacker will try it. Deploy the ‘cheap' stuff first and escalate from there if nobody clicks on the initial bait.
"I listened to an interesting interview about phishme.com last year. They do training, allowing IT admins to phish people within their own domain - and the numbers show the training is needed."
Sullivan's comments follow research from Verizon showing a staggering one in four phishing scams currently result in success.
The tactic has been used in several other targeted campaigns, including APT30. APT30 is a hacker group believed to be from China that has been mounting a coordinated campaign capable of infiltrating air gapped systems.
Vicente Diaz, principal security researcher at Kaspersky Lab, agreed with Sullivan telling V3 while the campaign's phishing strategy is fairly basic.
"The actor often spear phishes targets. In highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is Office Monkeys LOL Video.zip," he said.
"These videos are quickly passed around offices while systems are infected in the background silently. Many of this APT's components are signed with phony Intel and AMD digital certificates."
The sophistication of the campaign occured after infection. Once inside, the attackers reportedly move laterally through the network infecting it with data-stealing malware.
"[The malware] is basically a backdoor and dropper. [A backdoor is a] malicious program that gives attackers access to the infected machines. It allows them to 'open the door' without disturbing the owner of the house," Diaz explained.
"[A dropper] is a program which allows attackers to drop any other additional modules (additional functions) to the infected machine, for example give a command to infiltrate all PDF files or record everything happening on the screen.
"It sends info of the target to the command and control server and retrieves configuration files and additional modules implementing any extra functionality needed by the attackers."
The researchers said that the attacks are particularly dangerous as they can dodge several security providers' products, including those from Crystal, Kaspersky, Sophos, Dr Web, Avira and Comodo.
The campaign also contains similar features to the past MiniDuke, CosmicDuke and OnionDuke APTs.
"One of the second-stage modules of CozyDuke/Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke," read the advisory.
"Both have exactly the same export tables and appear to be called internally ‘UserCache.dll'. This seems to indicate that the authors of OnionDuke and CozyDuke/Cozy Bear are the same, or working together.
"Another interesting comparison of two other files matches a recent second-stage tool from the CozyDuke attacks with a second-stage component from other MiniDuke/OnionDuke attacks.
"The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time."
MiniDuke is a notorious malware originally uncovered in 2013 having infiltrated networks in over 20 countries.
CosmicDuke is a follow-up campaign uncovered in early 2014 that combines MiniDuke and an older Cosmu attack.
OnionDuke is a dangerous campaign uncovered later in 2014 that used the Tor network to target multiple central European government agencies.
The Kaspersky researchers added that the attacks also share some features of the APT 28 attack campaign.
"Their custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography and trojan functionality changing per operation," read the paper.
"This rapid development and deployment reminds us of the APT 28/Sofacy toolset, especially the coreshell and chopstick components."
APT 28 is an ongoing attack campaign believed to be state-sponsored. FireEye researchers recently reported uncovering evidence that the group was mounting a fresh campaign using Adobe and Windows zero-day vulnerabilities to infect systems.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers