On the prowl for mobile malware. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: On the Prowl for Mobile Malware [Research Saturday]

Release Date: December 28, 2024
Host: Dave Bittner
Guests: Ashir Malhotra and Vitor Ventura, Security Researchers with Cisco Talos
Research Focus: Operation Celestial Force – Employing Mobile and Desktop Malware to Target Indian Entities

1. Introduction to Operation Celestial Force

In this episode of CyberWire Daily, host Dave Bittner engages in a comprehensive discussion with Ashir Malhotra and Vitor Ventura from Cisco Talos. The focus is on their latest research titled Operation Celestial Force, which delves into sophisticated malware campaigns targeting Indian entities through both mobile and desktop platforms.

2. Background and Evolution of the Threat Actor

Vitor Ventura provides insight into the longstanding observation of the threat actor, Cosmic Leopard, tracing back to 2018:

“[We] first published about a specific malware strain that was used in this campaign as well... most recently, we found another component in the campaign which is called Gravity Admin... [it] brings everything together” (03:08).

This malware strain, Gravity Rat, has been almost exclusively associated with Cosmic Leopard, a nexus of Pakistani state-sponsored threat actors. The researchers have meticulously tracked the evolution of these tools, highlighting continuous improvements and increased sophistication over the years.

3. Tactics, Techniques, and Procedures (TTPs)

Vitor Ventura elaborates on the comprehensive range of activities encompassed by Operation Celestial Force:

"It's an entire spectrum of activities from the very start to the very end. This consists of also deploying new malware, stealing data, whatnot... what Cosmic Leopard intends to do" (08:06).

Key TTPs include:

Initial Access: Establishing contact with high-value targets primarily in India through social media and instant messaging platforms.
Social Engineering: Utilizing honey traps, often masquerading as trustworthy individuals, to build rapport and convince targets to download malicious applications.
Malware Deployment: Employing custom-built malware like Gravity Rat and the administrative panel Gravity Admin to infiltrate systems, perform reconnaissance, and maintain persistent access.
Data Exfiltration: Stealing sensitive information to further espionage objectives aligned with national interests.

4. Attribution and Group Dynamics

Ashir Malhotra emphasizes the complexity in attributing these activities to a single group, noting overlaps with other known factions:

"We have multiple overlaps between this group and other groups... we decided to develop this, put this in a specific class... to either tear it apart into its subcomponents or conclude that this is actually just an umbrella group with several operators beneath it" (05:54).

This strategic classification allows for flexibility as further research might reveal more nuanced affiliations or structural changes within the threat landscape.

5. Malware Characteristics and Customization

The malware employed in Operation Celestial Force showcases significant customization:

Ashir Malhotra states:

"These were well-made custom things... malware that was bred from the ground up, completely integrated with the backend to look normal" (15:38).

Key points include:

Cross-Platform Compatibility: Malware designed to operate seamlessly across Windows and Mac OS, indicating a high level of sophistication.
Custom Administrative Panels: Unlike off-the-shelf solutions, tools like Gravity Admin are bespoke, built using .NET, and tailored to specific Command and Control (C2) infrastructures.

Vitor Ventura corroborates:

"Gravity Admin... looks like it's been custom-built in Net and it reaches out to specific Command and Control URLs... supporting our assessment that all of this is custom-built" (17:03).

6. Victimology and Objectives

The primary targets are Indian entities, ranging from government institutions to high-value private sector organizations. The objectives are rooted in espionage, aiming to:

Steal Sensitive Data: Extract information that can influence political and strategic decisions.
Establish Persistent Access: Maintain long-term control over compromised systems to enable ongoing surveillance and data collection.

Ashir Malhotra articulates the espionage focus:

"This is an espionage operation... they were tasked to get access and they might just be waiting for orders or collecting data" (18:47).

7. Recommendations for Mitigation

To defend against such advanced threats, the researchers advocate for a multi-layered security approach:

Mobile Security:
- App Store Vigilance: Only install applications from official sources like Google Play to minimize the risk of downloading malicious software.
“Don’t install anything outside the normal application stores being Google... it's getting way, way, way better at the beginning” (20:35)
Endpoint Protection:
- Comprehensive Endpoint Security: Implement robust endpoint protection solutions to monitor and control device activities.
“You need to have good endpoint control for organizations where their endpoints need to be controlled” (20:35)
Authentication Measures:
- Multi-Factor Authentication (MFA): Protect against credential theft by requiring multiple forms of verification.
“With credential stealing, you must have multi-factor authentication to prevent the usage of those credentials” (20:35)
Network Monitoring:
- DNS and Telemetry Analysis: Continuously monitor DNS requests and network telemetry to detect and respond to suspicious activities.
“Understand which kind of sites are being accessed, which kind of DNS is being resolved” (20:35)
User Education and Behavioral Controls:
- Risk Mitigation: Acknowledge the inevitability of human error and focus on minimizing the impact through technical controls.
“Make the consequences of that happening way, way, lower... control the endpoint. You need to have multifactor authentication, you need to have DNS control” (20:35)

8. Final Insights and Closing Remarks

The conversation concludes with a stark reminder of the ever-present risks posed by human curiosity and the importance of robust security measures:

Vitor Ventura humorously warns:

“If you give somebody a USB drive, they will plug it into your computer” (23:00).

Ashir Malhotra underscores the potential devastation:

“You can shoot down the whole data center” (23:27).

Dave Bittner wraps up the episode by acknowledging the valuable contributions of Ashir and Vitor, highlighting the critical nature of ongoing research in staying ahead of evolving cyber threats.

Conclusion

Operation Celestial Force exemplifies the intricate and persistent nature of state-sponsored cyber espionage targeting Indian entities. The collaboration between Cisco Talos researchers and the broader security community sheds light on the sophisticated methods employed by groups like Cosmic Leopard. As cyber threats continue to evolve, adopting comprehensive, multi-layered security strategies remains paramount in safeguarding sensitive information and maintaining operational integrity.

**For further details on this research, please refer to the Show Notes or visit Cisco Talos.

Loading summary

Transcript51 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K.
[00:13]
Strata
Identity Architects and engineers.
[00:15]
Dave Bittner
Simplify your identity management with Strata, securely.
[00:19]
Strata
Integrate non standard apps with any idp, apply modern MFA and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress free identity management and join industry leaders in transforming their identity architecture with Strata. Visit Strata IO Cyberwire, share your identity challenge and get a free set of AirPods Pro. Revolutionize your identity infrastructure. Now visit Strata IO CyberWire and our thanks to Strata for being a longtime friend and supporter of this podcast.
[01:19]
Dave Bittner
Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[01:44]
Ashir Malhotra
Basically this is part of a long term of research that we have done on this actor nexus that has been targeting India and in this specific case it's also the fruit of our reach out to the community. And it was actually another researcher that came to us that he had some information about these kind of operations and we partnership with them in order to make this research.
[02:12]
Dave Bittner
Our guests today are Ashir Malhotra and Vitor Ventura, both security researchers with Cisco Talos. The research we're discussing today is titled Operation Celestial Force employs mobile and Desktop Malware to target Indian entities.
[02:36]
Ashir Malhotra
It's kind of with our own research, but we also engage a lot in the community and this is kind of the outcome of that collaboration with the community.
[02:44]
Vitor Ventura
Also we've been tracking this campaign since about 2018, which is when we first published about a specific malware strain that was used in this campaign as well.
[02:54]
Dave Bittner
That's Ashir Malhotra.
[02:56]
Vitor Ventura
We've seen sporadic instances of different vendors publishing stuff about this campaign, but recently we found some information that tied everything together and which is what warranted the publication.
[03:09]
Interviewer
Yeah, well, I mean, let's go through it together here. Can you give us a bit of the backstory? When did this threat actor originally come to folks attention and what were they up to?
[03:20]
Vitor Ventura
Sure. So we've seen this threat actor use a variety of malware families. One of them is called Gravity Rat and we believe that Gravity Rat is almost exclusively used by this threat detector called Cosmic Leopard. And we've been tracking Gravity Rat and its evolution since 2018. Right. And most recently what happened was we've been tracking Gravity Rat and we've been tracking another malware family which is basically a malware loader called heavylift. And most recently, we found another component in the campaign which is called Gravity Admin. And it's basically an administrative panel. It's an exe that you double click and it opens up an administrative panel that allows you to administer all the different infections and all the different campaigns that are being conducted in this operation. That is what really caught our eye. And we were like, okay, so this brings everything together. And this is the panel binary that is distributed to malicious operators belonging to Cosmic Leopard. And they use this panel binary to actually administer infections and push out new malware and run commands on infected systems and steal documents from there and information from there and so on and so forth.
[04:36]
Ashir Malhotra
I think it's important to add that.
[04:38]
Dave Bittner
That'S Vitor Ventura when we talk about Cosmic Leopard.
[04:41]
Ashir Malhotra
And this may seem like, okay, this is a new actor that we are trying to push. It's important to add that we actually did this because there are multiple overlaps between this group and other groups. And we didn't want to just assign this cluster of activity to a single group like Sidewinder. So we decided to, okay, we should develop this, put this in a specific class that in the future, while we do more research, we are able to either tear it apart into its sub components and split it into the known groups, or we may just reach the conclusion that this is actually just an umbrella group that has several operators beneath it. And hence that's why we decided to go with this new name for it. Because for us, it's important to be accurate in the attribution when it's done. And we didn't want to use attribution that is known in the field, but still with a lot of gaps to fill. So it was more important to get this new name and in the future be able to split the activity or not in the cluster through the other actors that are known right now.
[05:55]
Interviewer
Yeah, that's an interesting insight. I mean, is it fair to say that this represents kind of a check in of a journey that is continuing along the way? This isn't a conclusion of something. This is where you think we are at this moment.
[06:10]
Ashir Malhotra
Oh, definitely. This is just the beginning. So this campaign is coming from 2018, but the cluster of activity, it's probably older than that with other campaigns. So between this and Transparent Tribe, we need to be able to distinguish the several actors because just like we as defenders don't stay the same over time, the attackers don't see the same over time. There are always, especially when they are related with, when they are state sponsored, they will evolve accordingly with the needs and the political situation of those countries. So it should be common for us to update these kind of descriptions over time. And this has been going from since 2018. They are older campaigns. So we cannot stay with the same definition of that group over this amount of time because things change on their side also and because we are not absolutely sure we want to be able to have a cluster of activity that we tie to those two groups with different overlaps that are not 100% overlap on neither of them. But maybe in the future we'll be able to get information that will allow us to say, look, this is the evolution of that group, or this group has merged with another group and now we have something new. Or there has always been some kind of umbrella over these subgroups because there will be different teams with different objectives. And we have seen this on groups related with other countries, like Lazarus group with North Korea. There's a huge amount of subgroups under that umbrella. So we should be able to, we should have. Allow us to have the same flexibility on other groups in other. Which we associate with other geographies.
[07:57]
Interviewer
Yeah, well, I mean, let's talk about Operation Celestial Force then. What is the spectrum of things that you all are putting under this particular umbrella?
[08:07]
Vitor Ventura
So it's basically activity that consists of everything, you know, initiating contact with a potential target, you know, talking to them over social media channels, establishing trust, turning a target into a victim by sending them malware and getting them to infect themselves. And once they're infected, you know, then the threat actors start their operations, malicious operations on the box that has been infected. And they try to steal data from that specific box or that system. And they try to establish long term persistent access to individuals or entities that they feel are of high value to the operators. So it's an entire spectrum of activities from the very start to the very end. And this consists of also deploying new malware, stealing data, whatnot. Everything that falls under the spectrum of an APT or an espionage focused group is what Cosmic Leopard intends to do.
[09:05]
Dave Bittner
We'll be right back.
[09:09]
Masterclass
Learn from the world's best all in one place with masterclass, the only streaming platform where you can learn and grow with over 200 of the world's best. Masterclass always has great offers during the holidays, sometimes up to as much as 50% off. Head over to masterclass.com Spotify for the current offer. That's up to 50% off@masterclass.com Spotify.
[09:38]
Dave Bittner
And.
[09:38]
KnowBe4
Now a word from our sponsor. Know it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.
[11:08]
Dutch Bros
This episode is brought to you by Dutch Bros. Get stoked for all the holly jolly vibes this season at Dutch Bros. Stay cozy with returning winter faves. Hazelnut Truffle Mocha and Candy Cane Mocha. Plus the new Winter Shimmer Rebel energy drink blends up sweet cream and blue razz flavor with soft top and shimmer sprinks to keep those spirits energized all winter long. Download the Dutch Bros app to find your nearest shop, order ahead and start earning rewards.
[11:41]
Interviewer
Well, can we walk through it together? What a typical process would look like here? I mean if I were someone that this group was interested in, what would be their initial way of gaining access?
[11:53]
Vitor Ventura
So they would typically establish contact with their targets. They would identify who their targets are and who are potential victims of this high value targets. And then they would start talking to these people over social media channels or even over instant messaging apps and they will slowly and slowly build trust with them. We have seen a lot of Chinese, sorry, a lot of Pakistani nexus of threat actors use honey traps. They pretend to be women and they pretend to honey trap their targets as well. And then ultimately they serve them malware. And once the malware is served and they're tricked into executing it on their system, that's it. Boom. That's all they need. Then the threat actors will use that malware to perform reconnaissance to figure out whether the victim or the system that has been infected is actually worth their time and effort. And if it is, then they will slowly sit down and they will go through the entire system and try to see what is of value to them that they can find on the system that can be used towards the political and tactful objectives of the nation state, essentially.
[13:03]
Ashir Malhotra
I would just add in this case also that we saw really well done web pages about cloud drives, being that one was called Cloudy, there was the other one which was zcloud if I'm not mistaken, and the sites were well done. The effort put into making a believable website was good to the point that we were talking with technology partners of ours and they were telling us, well, maybe that's not malicious. And we had to actually, because it didn't look malicious, it was really well done. And on the other side, the fixtures of those kind of applications for Android, in this specific case, they were there. You could actually upload files and store files like on any other cloud based storage. Like I don't know any of those, the traditional ones. So in a sense, of course those were malicious applications, those were malicious sites which have been taken down, but they went to the effort of making it well done and making them believable like legitimate applications, which didn't happen in the past. In the past you would go through all this process of honey trapping and convincing the victim to install something and when the victim would install something, it would get an error saying, oh, it's not compatible with your system or something like that. And then it would still be installed and running. Of course it was malware, but, but it would send the user the message that it was not working. It was something that didn't work. Right, but, but in this case, no, this case it really, everything would work, but on top of that it would have an extra layer of malware, basically.
[14:43]
Interviewer
So I suppose, I mean, that's a way to buy the threat actors a little more time because they're not raising those suspicions.
[14:51]
Dave Bittner
When, you know, if I think I'm.
[14:52]
Interviewer
Using an online cloud service and it works as a online cloud service, I'm less likely to throw up an alarm.
[14:59]
Vitor Ventura
Right, Exactly. Think about it this way. Like if me as a threat actor can get you to upload your files voluntarily to my service, I don't really need to make malware, right? Like, I just need to trick you into saying that, hey, this is a new cloud service, can you use this? And if you're the one who's uploading all your documents and all your stuff over there. I don't really have to put in any more efforts, right, to steal stuff from your computer.
[15:23]
Interviewer
What do you think folks should know about what's going on behind the scenes in terms of the technical tools that they're making use of here? Is this a lot of custom things or these off the shelf elements or a mix of the two in this.
[15:38]
Ashir Malhotra
Case, as I was saying before, these were well made custom things. So this is not, I don't know, a spy note malware for Android that was rebuilt or reshaped to look into that. This is malware that was bred from the ground, from them, that is completely integrated with the backend to look normal. I would say that even on the Windows side, and correct me if I'm mistaken, Nasheer, they went through a lot of effort of making something that is portable that would run both on Windows and on Mac OS. Even though we didn't see any macOS samples per se, the samples that we had for Windows had code that could run on macOS also and we could see that that existed. So this kind of multi platform does require some custom made stuff and especially the Windows part. And on one side because it's multi platform, on the other side because it's really well done to seem like a regular service. So I would say that they went through a big effort to make their own, their own tools and that again they are not copying the groups that we would know usually. So there is some level of customization on their part and that's why we don't have that many overlaps. And we went through a new, a new name for the actor for the cluster of activity basically.
[17:03]
Vitor Ventura
And also our assessment that these are customized tools is supported by the panel Binary, also known as Gravity Admin. Usually when there is commodity malware or when there is off the shelf malware involved, it comes with an administrative panel that's pre built. However, Gravity Admin in this case, which is the panel Binary, looks like it's been custom built in Net and it reaches out to specific Command and Control URLs for specific campaigns that are code named inside of the binary as well. That gives strength to our assessment that all of this is custom built and has been evolved over a period of multiple years since 2018.
[17:41]
Interviewer
You mentioned earlier that they're focused on victims in India and so that means we're highly confident, I suppose that this is coming from Pakistan.
[17:53]
Vitor Ventura
Well yes, we've seen indications that this is operated by a Pakistani nexus of apt threat actors. We have also seen That a lot of their ttps, a lot of their tool, techniques and procedures and tactics match with existing Pakistani apt groups such as Transparent Tribe and Site Copy. And some of the techniques are very, very typical of that. It's almost as if these guys have learned from existing Transparent Tribe operations or from existing Site Copy operations, and then they've built their own operations slowly and slowly and matured their own malware families and their suit of tools.
[18:35]
Interviewer
I see. And what specifically do they seem to be after here? Are they targeting specific groups, specifically specific areas, or is it broad, general espionage?
[18:47]
Ashir Malhotra
I would say that we need to think of this as an espionage operation. And by saying this, what I mean is you. An espionage group are usually tasked with something and they might. They might just start by getting the capability and they. They have the access and they will just wait for something that is requested from them. So in this case, if they have a broadened victimology and if something is tasked from them, so if something is asked from them, they will already have the access. And this is the typical way that espionage groups work. They may, sometimes they may have some kind of vertical or something specific that they're after, which we have seen with other groups in other regions. But in this specific case, I would say that they work much more like a traditional espionage operation where they were tasked to get access and they might just be waiting for orders or they're just collecting data, and when someone asks something, they already have it. One of the two, it's not highly specific or generic. It's really more like a traditional espionage operation. By the way, I. At the beginning, I got the name wrong for the group. I said Site one, that it was Site Copy. Okay, just. Fair enough, fair enough.
[20:10]
Interviewer
So all those people who are furiously getting ready to write you a nasty email just hold off, right?
[20:19]
Ashir Malhotra
Even worse, they can just start a storm on Twitter.
[20:23]
Strata
There you go.
[20:24]
Interviewer
Yes. Yes. Oh, my goodness. So what are your recommendations then for folks to best protect themselves against this particular threat actor? How should they go about that?
[20:35]
Ashir Malhotra
Well, I would go with a lot of this is about the traditional thing. So the groups on this Pakistani nexus have used zero days before. And there are some indications that they have used exploits before. But in this specific case, we didn't find any exploitation being used. So this brings us back to on the mobile side, don't install anything outside the normal application stores being Google in this specific case. So use the traditional application store. It's not to say that they are 100% bulletproof. There have been cases in the past where they were not. But it's the best thing we have and that's what we need to rely on. And quite frankly it hasn't happened for a long time. So I would say that it's getting way, way, way better at the beginning. The other thing is when we talk about Windows and laptops, which it's a little different, I would say that we need to have good endpoint control for organizations where their endpoints need to be controlled. You need to have endpoint protection. But not only that, we have seen more and more and more attacks being done with credential stealing. And with that you must have multi factor authentication to prevent the usage of those credentials. Just like you need to have stuff where you can understand where your telemetry is going, understand which kind of sites are being accessed, which kind of DNS is being resolved. All of that helps in a multi layer approach for the security. One thing I always say is that we cannot say that the users will click on stuff. It's a human thing. They will always click on stuff. And I always say if you get into a room where you have a table and you have a box open, but you cannot see the content, what will you do? As soon as you enter that room you will look into the box. Everyone does that. It's human nature. So we cannot ask people not to click on links. We can ask them, but we cannot rely that they won't do it because it's human nature. What we need to do as security professionals is to make the consequences of that happening way, way lower. And for that you need to control the endpoint. You need to have multifactor authentication, you need to have DNS control. That's what we can do as individual. Well, we should be careful with all of these, as I said. But in the end, corporations and organizations, that's what they can do.
[22:58]
Interviewer
All right, any final thoughts?
[23:01]
Vitor Ventura
Ashir, just one thought. If you give somebody a USB drive, they will plug it into your computer.
[23:10]
Interviewer
I think often we've probably all been in that situation where you're, you're in a building or something, maybe an industrial facility, and there's a big red button on the wall that says do not press. Right. And it is so hard to not press the button.
[23:25]
Vitor Ventura
What's the worst that could happen? Right?
[23:27]
Dave Bittner
Right.
[23:28]
Ashir Malhotra
Well, you can shoot down the whole data center. I've seen it happen. It's not good, it's not pretty.
[23:45]
Dave Bittner
And that's research. Saturday Brought to you by N2K CyberWire our thanks to Ashir Malhotra and Vitor Ventura from Cisco Talos for joining us. The research is titled Operation Celestial Force employs Mobile and Desktop Malware to Target Indian Entities. We'll have a link in the Show Notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is is our president, Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.