4:57 AM
The group, known as C0d0s0, or simpler as Codoso, does not seem to have a clear direction and purpose for this most recent campaign and appears to be harvesting information on random Internet users, probably building a database of possible pawns for future attacks.
Just as before, the group is using some of the most sophisticated attack methods seen around, deploying malware through compromised but legitimate websites, via watering hole techniques.
There were also cases where spear-phishing emails were used against targets in the telecommunications, high tech, education, manufacturing, and legal services industries.
In all cases, the malware chosen for Codoso's attacks is a new variant of the Derusbi family, also utilized by other Chinese cyber-espionage groups.
This malware works by using DLL side-loading tecniques to inject malicious content in legitimate applications. This allows it to avoid some security tools and alter registry keys to gain boot persistence.
Group seems to be interested in collecting data on random Internet users
Once in action, the malware will collect data about targets and send it to a remote C&C server. Palo Alto detected three servers used in the most recent wave of Codoso attacks, all with connections between them and registered in Hong Kong.
The group is collecting data about users like their IP address, their MAC address, username, hostname, CPU details, and Internet Explorer user agent string.
Palo Alto researchers suspect this may be the incipient stage of a more dangerous attack to come.
"The tactics, techniques, and procedures (TTPs) used by C0d0so0 appear to be more sophisticated than many other adversary groups with multiple layers of obfuscation in use, as well as specific victim targeting in what appears to be an attempt at creating a staging area for additional attack," Palo Alto researchers Josh Grunzweig and Bryan Lee said about the group. We'll now have to wait and see what the group is really after this time around.
