CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [1]

ID: S0046
Associated Software: CozyDuke, CozyBear, Cozer, EuroAPT

Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1059Command-Line InterfaceA module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.[2]
EnterpriseT1003Credential DumpingPassword stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication. CozyCar has also executed Mimikatz for further victim penetration.[2]
EnterpriseT1036MasqueradingThe CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[2]
EnterpriseT1050New ServiceOne persistence mechanism used by CozyCar is to register itself as a Windows service.[2]
EnterpriseT1027Obfuscated Files or InformationThe payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[2]
EnterpriseT1060Registry Run Keys / Startup FolderOne persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
EnterpriseT1085Rundll32The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[2]
EnterpriseT1053Scheduled TaskOne persistence mechanism used by CozyCar is to register itself as a scheduled task.[2]
EnterpriseT1063Security Software DiscoveryThe main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[2]
EnterpriseT1071Standard Application Layer ProtocolCozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[2]
EnterpriseT1082System Information DiscoveryA system info module in CozyCar gathers information on the victim host’s configuration.[2]
EnterpriseT1497Virtualization/Sandbox EvasionSome versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[2]
EnterpriseT1102Web ServiceCozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[2]


Groups that use this software: