CozyDuke

Description

(F-Secure) CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around a core backdoor component. This component can be instructed by the C&C server to download and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array of functionality. Known CozyDuke modules include: • Command execution module for executing arbitrary Windows Command Prompt commands • Password stealer module • NT LAN Manager (NTLM) hash stealer module • System information gathering module • Screenshot module

In addition to modules, CozyDuke can also be instructed to download and execute other, independent executables. In some observed cases, these executables were self-extracting archive files containing common hacking tools, such as PsExec and Mimikatz, combined with script files that execute these tools. In other cases, CozyDuke has been observed downloading and executing tools from other toolsets used by the Dukes such as OnionDuke, SeaDuke, and HammerDuke.

Names

Name
CozyDuke
CozyCar
CozyBear
Cozer
EuroAPT

Type

Backdoor
Credential stealer
Keylogger
Remote command

Information

https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

Mitre Attack

https://attack.mitre.org/software/S0046/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:cozyduke

Other Information

Uuid

d6e64a22-315a-4384-8d4f-9803fb281b45

Last Card Change

2023-06-22

Threat Intelligence Garden

Explorer

CozyDuke

CozyDuke

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks