![On the prowl for mobile malware. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F58ab7ae0-def8-11ea-b34c-b35b208b0539%2Fimage%2Fdaily-podcast-cover-art-cw.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=3840&q=75)
CyberWire Daily: On the Prowl for Mobile Malware [Research Saturday]
Release Date: December 28, 2024
Host: Dave Bittner
Guests: Ashir Malhotra and Vitor Ventura, Security Researchers with Cisco Talos
Research Focus: Operation Celestial Force – Employing Mobile and Desktop Malware to Target Indian Entities
1. Introduction to Operation Celestial Force
In this episode of CyberWire Daily, host Dave Bittner engages in a comprehensive discussion with Ashir Malhotra and Vitor Ventura from Cisco Talos. The focus is on their latest research titled Operation Celestial Force, which delves into sophisticated malware campaigns targeting Indian entities through both mobile and desktop platforms.
2. Background and Evolution of the Threat Actor
Vitor Ventura provides insight into the longstanding observation of the threat actor, Cosmic Leopard, tracing back to 2018:
“[We] first published about a specific malware strain that was used in this campaign as well... most recently, we found another component in the campaign which is called Gravity Admin... [it] brings everything together” (03:08).
This malware strain, Gravity Rat, has been almost exclusively associated with Cosmic Leopard, a nexus of Pakistani state-sponsored threat actors. The researchers have meticulously tracked the evolution of these tools, highlighting continuous improvements and increased sophistication over the years.
3. Tactics, Techniques, and Procedures (TTPs)
Vitor Ventura elaborates on the comprehensive range of activities encompassed by Operation Celestial Force:
"It's an entire spectrum of activities from the very start to the very end. This consists of also deploying new malware, stealing data, whatnot... what Cosmic Leopard intends to do" (08:06).
Key TTPs include:
- Initial Access: Establishing contact with high-value targets primarily in India through social media and instant messaging platforms.
- Social Engineering: Utilizing honey traps, often masquerading as trustworthy individuals, to build rapport and convince targets to download malicious applications.
- Malware Deployment: Employing custom-built malware like Gravity Rat and the administrative panel Gravity Admin to infiltrate systems, perform reconnaissance, and maintain persistent access.
- Data Exfiltration: Stealing sensitive information to further espionage objectives aligned with national interests.
4. Attribution and Group Dynamics
Ashir Malhotra emphasizes the complexity in attributing these activities to a single group, noting overlaps with other known factions:
"We have multiple overlaps between this group and other groups... we decided to develop this, put this in a specific class... to either tear it apart into its subcomponents or conclude that this is actually just an umbrella group with several operators beneath it" (05:54).
This strategic classification allows for flexibility as further research might reveal more nuanced affiliations or structural changes within the threat landscape.
5. Malware Characteristics and Customization
The malware employed in Operation Celestial Force showcases significant customization:
Ashir Malhotra states:
"These were well-made custom things... malware that was bred from the ground up, completely integrated with the backend to look normal" (15:38).
Key points include:
- Cross-Platform Compatibility: Malware designed to operate seamlessly across Windows and Mac OS, indicating a high level of sophistication.
- Custom Administrative Panels: Unlike off-the-shelf solutions, tools like Gravity Admin are bespoke, built using .NET, and tailored to specific Command and Control (C2) infrastructures.
Vitor Ventura corroborates:
"Gravity Admin... looks like it's been custom-built in Net and it reaches out to specific Command and Control URLs... supporting our assessment that all of this is custom-built" (17:03).
6. Victimology and Objectives
The primary targets are Indian entities, ranging from government institutions to high-value private sector organizations. The objectives are rooted in espionage, aiming to:
- Steal Sensitive Data: Extract information that can influence political and strategic decisions.
- Establish Persistent Access: Maintain long-term control over compromised systems to enable ongoing surveillance and data collection.
Ashir Malhotra articulates the espionage focus:
"This is an espionage operation... they were tasked to get access and they might just be waiting for orders or collecting data" (18:47).
7. Recommendations for Mitigation
To defend against such advanced threats, the researchers advocate for a multi-layered security approach:
-
Mobile Security:
- App Store Vigilance: Only install applications from official sources like Google Play to minimize the risk of downloading malicious software.
“Don’t install anything outside the normal application stores being Google... it's getting way, way, way better at the beginning” (20:35)
-
Endpoint Protection:
- Comprehensive Endpoint Security: Implement robust endpoint protection solutions to monitor and control device activities.
“You need to have good endpoint control for organizations where their endpoints need to be controlled” (20:35)
-
Authentication Measures:
- Multi-Factor Authentication (MFA): Protect against credential theft by requiring multiple forms of verification.
“With credential stealing, you must have multi-factor authentication to prevent the usage of those credentials” (20:35)
-
Network Monitoring:
- DNS and Telemetry Analysis: Continuously monitor DNS requests and network telemetry to detect and respond to suspicious activities.
“Understand which kind of sites are being accessed, which kind of DNS is being resolved” (20:35)
-
User Education and Behavioral Controls:
- Risk Mitigation: Acknowledge the inevitability of human error and focus on minimizing the impact through technical controls.
“Make the consequences of that happening way, way, lower... control the endpoint. You need to have multifactor authentication, you need to have DNS control” (20:35)
8. Final Insights and Closing Remarks
The conversation concludes with a stark reminder of the ever-present risks posed by human curiosity and the importance of robust security measures:
Vitor Ventura humorously warns:
“If you give somebody a USB drive, they will plug it into your computer” (23:00).
Ashir Malhotra underscores the potential devastation:
“You can shoot down the whole data center” (23:27).
Dave Bittner wraps up the episode by acknowledging the valuable contributions of Ashir and Vitor, highlighting the critical nature of ongoing research in staying ahead of evolving cyber threats.
Conclusion
Operation Celestial Force exemplifies the intricate and persistent nature of state-sponsored cyber espionage targeting Indian entities. The collaboration between Cisco Talos researchers and the broader security community sheds light on the sophisticated methods employed by groups like Cosmic Leopard. As cyber threats continue to evolve, adopting comprehensive, multi-layered security strategies remains paramount in safeguarding sensitive information and maintaining operational integrity.
**For further details on this research, please refer to the Show Notes or visit Cisco Talos.