Protect Against Cozyduke's Anti-AV Detection with Multi-Scanning

An Advanced Persistent Threat (APT) dubbed CozyDuke was the culprit behind last year's attacks against the U.S. State Department and the White House. In the attack, access was gained to the White House's unclassified computer system as well as President Obama's email correspondence. The White House attack is believed to have started with a phishing email that was launched using a hacked State Department email account.

CozyDuke is yet another variant of the 'Duke' malware family, including OnionDuke, MiniDuke, and CosmicDuke. Kaspersky Lab was the first to warn about the MiniDuke attacks in 2013, with the oldest known samples for this APT dating back to 2008. The Duke APT's are believed to originate from Russia and go after high-profile targets with spear phishing attacks that trick the victim into clicking malicious links or email attachments. Targets include embassies, energy, oil and gas companies, telecoms, military, and research institutions in a number of countries.

Another alarming trait of the Duke family is that they all have anti-detection capabilities that help them stay under the radar of certain antivirus engines. For instance, CozyDuke searches for several security products to evade, including Kaspersky Lab, Sophos, DrWeb, Avira, Crystal, Comodo Dragon, AVG and K7. MiniDuke, which was used in targeted attacks against NATO and European government agencies, disguised itself from various anti-malware, antivirus, and other cybersecurity programs to avoid detection.

How Multi-Scanning Can Protect Against Anti-AV Detection Malware


What Is Multi-Scanning?

It is highly likely that as cyber attackers are able to reach the sophistication of building anti-AV detection capabilities into their malware, we will be seeing this evasion technique become commonplace. A way to counter this threat is to use multiple anti-malware engines so that the APT will be less capable of disabling all engines. The more engines that are used, the higher the chance that at least one of the engines will not be disabled and detect the threat. In addition to countering threats aimed at specific antivirus engines, using multiple AV engines will significantly increase malware detection rates, including new threats and outbreaks. Since each antivirus engine addresses different threats with different lag times, using multiple engines at once will decrease the lag across all existing threats and significantly reduce the window for exposure.

In addition to multi anti-malware scanning, another way to thwart spear phishing attacks that make use of malicious email attachments is to use data sanitization. Data sanitization converts file formats of email attachments in order to remove any possible embedded threats. For instance, the most commonly used malicious attachments in spear phishing attempts are Word docs and PDFs. If these files contain malware that is not yet known, it is possible that they may go undetected by antivirus engines. When these file types are converted to a different format through data sanitization, any possible embedded threats are automatically removed. All embedded threats will be quarantined for further inspection, thanks to OPSWAT's new mail agent with Multi-Anti-Malware engines.

By using a multi-scanning solution like Metascan® , organizations are in a better position to counter anti-AV detection capabilities in malware, and can significantly increase the malware detection rate with reduced lag times overall. Combined with an email security solution such as Policy Patrol Mail Security for Exchange, Metascan's multi-scanning and document sanitization capabilities can protect your organization against targeted and advanced spear phishing attacks.

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.