Skip to content

S0046 CozyCar

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. 1

Item Value
ID S0046
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CozyCar‘s main method of communicating with its C2 servers is using HTTP or HTTPS.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service One persistence mechanism used by CozyCar is to register itself as a Windows service.2
enterprise T1036 Masquerading -
enterprise T1036.003 Rename System Utilities The CozyCar dropper has masqueraded a copy of the infected system’s rundll32.exe executable that was moved to the malware’s install directory and renamed according to a predefined configuration file.2
enterprise T1027 Obfuscated Files or Information The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.2
enterprise T1003.002 Security Account Manager Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task One persistence mechanism used by CozyCar is to register itself as a scheduled task.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.2
enterprise T1082 System Information Discovery A system info module in CozyCar gathers information on the victim host’s configuration.2
enterprise T1497 Virtualization/Sandbox Evasion Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.2
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.2

Groups That Use This Software

ID Name References
G0016 APT29 13

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  2. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  3. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.