On the prowl for mobile malware.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Vitor Ventura: Basically this is part of a long-term of research that we have done on this actor nexus that has been targeting India. And in this specific case it's also the fruit of our reach out to the community, and there's actually another researcher that came to us that he had some information about these kind of operations, and we partnership with him in order to make this research.
Dave Bittner: Our guests today are Asheer Malhotra and Vitor Ventura. Both security researchers with Cisco Talos. The research we're discussing today is titled "Operation Celestial Force" employs mobile and desktop malware to target Indian entities. [ Music ]
Vitor Ventura: It's kind of with our own research but also in the community, and this is kind of the outcome of that collaboration with the community also.
Asheer Malhotra: We've been tracking this campaign since about 2018 which is when we first published about a specific malware strain that was used in this campaign as well.
Dave Bittner: That's Asheer Malhotra.
Asheer Malhotra: And we seen sporadic instances of different vendors publishing stuff about this campaign, but recently we found some information that tied everything together which [inaudible 00:01:54] about the case.
Dave Bittner: Well, let's go through it together here. Can you give us a bit of the back story? When did this threat actor originally come to folks attention, and what were they up to?
Asheer Malhotra: Sure. So, we've seen this threat actor used over a variety of malware families. One of them is called GravityRAT, and we believe that GravityRAT is almost exclusively used by this threat actor called Cosmic Leopard. And we've been tracking GravityRAT and its evolution since 2018. And most recently what happened was we've been tracking GravityRAT and we've been tracking another malware family, which is basically a malware loader called heavy lift. And most recently we found another component in the campaign, which is called GravityAdmin, and it's basically an administrative panel. It's an exe that you double click, and it opens up an administrative panel that allows you to administer the different infections and all the different campaigns that have been conducted in this operation. And that is what really caught our eye, and we were like, okay, so this brings everything together. This is the panel binary that is distributed to malicious operators belonging to Cosmic Leopard. And they use this panel binary to actually administer infections and push out new malware and run commands on infected systems and steal documents from there and information, there on and so forth.
Vitor Ventura: I think it's important to add that --
Dave Bittner: That's Vitor Ventura.
Vitor Ventura: When we talk about Cosmic Leopard and this may seem like, okay, this is a new actor that we're trying to push, it's important to add that we actually did this because there are multiple overlaps between this group and other groups. And we didn't want to just assign this [inaudible 00:03:46] activity to a single group like Sideliner. So, we decided we should develop -- put this in a specific cluster that in the future while we do more research we are able to either tear it apart into its subcomponents and spread it into the known groups, or we may just reach the conclusion that this is actually an umbrella group that has several operators beneath it. And hence that's why we decided to go with this new name for it because first it's important to be accurate in the attribution when it's done, and we didn't want to use attribution that is not in the field but still with a lot of gaps to fill. So, it was more important to get [inaudible 00:04:35] and in the future be able to split the activity or not in the cluster through the other activities that are known now.
Dave Bittner: Yes, that's an interesting insight. I mean is it fair to say that this represents a check in of a journey that is continuing along the way? That this isn't a conclusion of something. This is where you think we are at this moment?
Vitor Ventura: Oh, definitely this is just the beginning. So, this campaign is coming from 2018, but the question of activity it's probably older than that with other campaigns. So, between this and Transparent Tribe, we need to be able to distinguish the several actors because just like we as defenders don't stay the same over time, the attackers don't stay the same over time. They are always especially when they are state sponsored, they will evolve accordingly with the needs and the political situation of those countries. So, it should be common for us to update these kind of descriptions over time. And this has been going since 2018. There are older campaigns. So, we cannot stay with the same definition of that group over this amount of times because things change on their side also. And because we are not absolutely sure, we want to be able to have a cluster of activity that we tie to those two groups with different overlaps that are not 100% overlap or middle of them, but maybe in the future we'll be able to get information that allow us to say, "Look, this is the evolution of that group," or, "This group has merged with another group and now we have something new," or, "There have always been some kind of umbrella over these sub groups." Because they will be different teams with different objectives. And we have seen this on groups related with other countries like Lazarus Group with North Korea. There is a huge amount of subgroups under that umbrella. So, we should allow us to have the same flexibility on other groups which we associate with other geographies.
Dave Bittner: Yes. Well, let's talk about Operation Celestial Force then. What is the spectrum of things that you all are putting under this particular umbrella?
Asheer Malhotra: So, it's basically activity that consists of everything. Initiating contact with a potential target. Talking to them over social media channels, establishing trust, or turning a target into a victim by sending them malware and getting them to infect themselves. And once they're infected then the threat actors start their operations, malicious operations on the box that has been infected, and they try to steal data from that specific box. So, that system. And they try to establish long-term persistent access to individuals or entities that they feel are of high value to the operators. So, it's an entire spectrum of activities from the very start to the very end. And this consists of also deploying new malware, stealing data, what not, everything that falls under the spectrum of [inaudible 00:07:41] or espionage focused group is what Cosmic Leopold intends to do. [ Music ] &
Dave Bittner: We'll be right back. [ Music ] Well, can we walk through it together? What a typical process would look like here? If I was someone that this group was interested in, what would be their initial way of gaining access?
Asheer Malhotra: So, they would typically establish contact with their targets. They would identify who their targets are and what potential victims of this high value target. And then they would start talking to these people over social media channels or even over instant messaging apps. And they will slowly and slowly build trust with them. We have seen a lot of Pakistani nexus of threat actors use honeytraps. You know they pretend to be women and they pretend to honeytrap their targets as well, and then ultimately they sold them malware. And once the malware is sold then they're tricked into executing it on their system. That's it. Boom. That's all they need. And then the threat actors will use that malware to perform the [inaudible 00:08:58], to figure out whether the victim or the system that has been infected is actually worth their time and effort. And if it is, then they will slowly sit down and they will go through the entire system and try to see what is of value to them that they can find on the system that can be used towards the political and [inaudible 00:09:16] objectives of the nation state essentially.
Vitor Ventura: I would just add in this case also, we saw really well done white pages about cloud drives. One was clouded. There was the other one that was called Z cloud if I'm not mistaken. And the sites were well done. The effort put into making a believable website was good to the point that we were talking with technology partners of us, and they were telling us, "Well, maybe that's not malicious." And we had to actually -- because it didn't look malicious. It was really well done. And on the other side, the features of those kind of applications for Android in this specific case, they were there. You could actually upload files and store files like on any other cloud based storage. Like any of the traditional ones. So, in a sense -- of course, those are malicious applications. Those were malicious sites which have been taken down, but they were -- they went to the effort of making it well done and making them believable like legitimate applications, which didn't happen in the past. In the past you would have -- you would go through all this process of honey trapping and convincing the victim to install something, and when the victim would install something he would get an error saying it's not compatible with your system or something like that. And then it would still be installed and running of course. It was malware, but it would send the user the message that it was not working. It was something that didn't work. But in this case, this case, everything would work, but on top of that it would have an extra layer of malware basically.
Dave Bittner: So, I suppose. I mean that's a way to buy the threat actors a little more time because they're not raising those suspicions. If I think I'm using an online cloud service and it works as an online cloud service, I'm less likely to throw up an alarm, right?
Asheer Malhotra: Exactly. Think about it this way. Like if me as a threat actor can get you to upload your files voluntarily to my service, I don't really need to make malware. I just need to trick you into saying that hey, this is a new cloud service. Can you use this? And if you're the one who's uploading all your documents and all your stuff over there, I don't really have to put in any more efforts to steal stuff from your computer.
Dave Bittner: What do you think folks should know about what's going on behind the scenes in terms of the technical tools that they're making use of here? Is this a lot of custom things, or are these off the shelf elements, or a mix of the two?
Vitor Ventura: In this case, as I was saying before, these were well made custom things. So, this is not a spy note malware framework that was rebuilt or reshaped to looking into that. This was malware that was right from the ground from them that is completely integrated with the backend to look normal. I would say that even on the Windows side, and correct me if I'm mistaken, Asheer, they went through a lot of effort of making something that is portable. That would run both on Windows and Mac OS. Even though we didn't see any Mac OS samples per se, the samples that we had for Windows had code that would run on Mac OS also, and we could see that that existed. So, this kind of multi-platform does require some custom-made stuff, and especially the Windows part. On one side because it's multi-platform. On the other side because it's really well done to seem like a regular service. So, I would say that they went through a big effort to make their own tools and that again they are not copying the groups that we would know usually. So, there is some level of customization on their part, and that's why we don't have that many overlaps, and we went through a new name for the actor, for the cluster of activity basically.
Asheer Malhotra: And also our assessment that these are customized tools is supported by the panel binary, also known as GravityAdmin. Usually when there is commodity malware or when there is off the shelf malware and more, it comes with an administrative panel that's pre-built. However, GravityAdmin in this case, which is the panel binary, looks like it's been custom built in dotnet, and they deserve a specific command and control URL's for specific campaigns that are code named inside of the binary as well. So, that gives strength to our assessment that all of this is custom built and has been evolved over a period of multiple years since 2018.
Dave Bittner: You mentioned earlier that they are focused on victims in India. So, that means we're highly confident, I suppose, that this is coming from Pakistan?
Vitor Ventura: Well, yes. We've seen indications of that this is operated by a Pakistani nexus of APT threat actors. We have also seen that a lot of the [inaudible 00:14:25] -- a lot of their tool techniques and procedures and tactics match with existing Pakistani APT groups, such as Transparent Tribe and SideCopy. And some of the techniques are very, very typical of that. It's almost as if these guys have learned from existing Transparent Tribe operations or from existing SideCopy operations, and then they've built their own operation slowly and slowly and make sure their own malware families and their sort of codes.
Dave Bittner: I see. And what specifically do they seem to be after here? I mean are they targeting specific groups, specific areas, or is it broad general espionage?
Vitor Ventura: I would say that we need to think of this as an espionage operation. And by saying this what I mean is an espionage group are usually tasked with something. And they might just start by getting the capability, and they have the access, and they will just wait for something that is requested from them. So, in this case, if they have a broadened victimology and if something is tasked from them, so if something is asked from them, they will already have the access. And this is the typical way that espionage groups work. Sometimes they may have some kind of vertical or something specific that they're after, which we have seen with other groups in other regions, but in this specific case I would say that they work much more like a traditional espionage operation where they were tasked to get access, and they might just be waiting for orders, or they're just collecting data and when someone asks something they already have it. One of the two. It's not a highly specific or generic. They have really -- it's really more like a traditional espionage operation. By the way, at the beginning, I got the name wrong for the group. I said Side One. It was SideCopy. But just to know.
Dave Bittner: Fair enough. Fair enough. So, all those people who are furiously getting ready to write you a nasty email, just hold off, right?
Vitor Ventura: Even worst, they can just start a storm on Twitter.
Dave Bittner: There you go. Yes. Yes. Oh, my goodness. So, what are your recommendations then for folks to best protect themselves against this particular threat actor? How should they go about that?
Vitor Ventura: Well, I would go with a lot of this is about the traditional thing. So, this group, the groups on this Pakistani nexus have used this before, and there are some indications that they have used exploits before, but in this specific case we didn't find any exploitation being used. So, this brings us back to on the mobile side, don't install anything outside the normal implication stores, being Google in this specific case. So, use the traditional application store. It's not to say that they are 100% bulletproof. There have been cases in the past where they were not, but it's the best thing we have, and that's what we need to rely on. And quite frankly, it hasn't happened for a long time. So, I would say that it's getting way, way, way better at the beginning. The other thing is when we talk about Windows and laptops which it's a little different. I would say that we need to have good endpoint control. For organizations when their endpoints need to be controlled you need to have endpoint protection. But not only that, we have seen more and more and more attacks being done with credential stealing. And with that you must have multi-factor authentication to prevent the usage of those credentials just like you need to stuff where you can understand where your telemetry is going. Understand which kind of sites are being accessed, understand which kind of DNS is being resolved. All of that helps in a multi-layer approach for the security. One thing I always say is that we cannot say that the users will click on stuff. It's a human thing. They will always click on stuff. And I always say if you get into a room where you have a table and you have a box open but you cannot see the content, what will you do as soon as you enter that room? You will look into the box. Everyone does that. It's human nature, so we cannot ask people not to click on links. We can ask them but we cannot rely that they won't do it because it's human nature. What we need to do as security professionals is to make the consequences of that happening way way lower, and for that you can control the endpoint. You need to have multi-factor authentication. You need to have DNS control. That's what we can do. As individual we should be careful with all of these as I said, but in the end corporations and organizations that's what they can do.
Dave Bittner: All right. Any final thoughts to share?
Asheer Malhotra: Just one thought. If you give somebody a USB drive they will plug it into your computer.
Dave Bittner: I think often we've probably all been in the situation where you're in a building or something, maybe an industrial facility, and there's a big red button on the wall that says do not press. And it is so hard to not press the button.
Vitor Ventura: What's the worst that could happen, right?
Dave Bittner: Right.
Vitor Ventura: Well, you could shoot down a whole data center. I've seen it happen. It's not pretty. [ Music ]
Dave Bittner: And that's research Saturday brought to you by N2K CyberWire. Our thanks to Asheer Malhotra and Vitor Ventura from Cisco Talos for joining us. The research is titled, "Operation Celestial Force employs mobile and desktop malware to target Indian entities." We'll have a link in the show notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential and public operators in the public and private sector. From the fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Were mixed by Elliot Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Our executive is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]