CozyCar

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [1]

ID: S0046
Associated Software: CozyDuke, CozyBear, Cozer, EuroAPT
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 28 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run[2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

One persistence mechanism used by CozyCar is to register itself as a Windows service.[2]

Enterprise T1036 .003 Masquerading: Rename System Utilities

The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[2]

Enterprise T1027 Obfuscated Files or Information

The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[2]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.[2]

.001 OS Credential Dumping: LSASS Memory

CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.[2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

One persistence mechanism used by CozyCar is to register itself as a scheduled task.[2]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[2]

Enterprise T1082 System Information Discovery

A system info module in CozyCar gathers information on the victim host’s configuration.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[2]

Enterprise T1102 .002 Web Service: Bidirectional Communication

CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[2]

Groups That Use This Software

ID Name References
G0016 APT29

[1]

References