CozyCar
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
A module in CozyCar allows arbitrary commands to be executed by invoking |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
One persistence mechanism used by CozyCar is to register itself as a Windows service.[2] |
| Enterprise | T1036 | .003 | Masquerading: Rename Legitimate Utilities |
The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[2] |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[2] |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.[2] |
| .002 | OS Credential Dumping: Security Account Manager |
Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.[2] |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
One persistence mechanism used by CozyCar is to register itself as a scheduled task.[2] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[2] |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[2] |
| Enterprise | T1082 | System Information Discovery |
A system info module in CozyCar gathers information on the victim host’s configuration.[2] |
|
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[2] |
|
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[2] |