CyberWire Daily - On the prowl for mobile malware. [Research Saturday]
Episode Date: December 28, 2024This week, we are joined by Asheer Malhotra and Vitor Ventura from Cisco Talos, and they are discussing "Operation Celestial Force employs mobile and desktop malware to target Indian entities." Cisco ...Talos revealed Operation Celestial Force, an espionage campaign by the Pakistani threat group "Cosmic Leopard," targeting Indian defense, government, and technology sectors. Active for at least six years, the operation has recently increased its use of mobile malware and commercial spyware for surveillance. The research can be found here: Operation Celestial Force employs mobile and desktop malware to target Indian entities Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
Basically, this is part of a long term of research that we have done on this actor nexus
that has been targeting India.
And in this specific case,
it's also the fruit of our reach out to the community.
And it was actually another researcher that came to us
that he had some information about these kind of operations
and we partnership with them in order to make this research.
Our guests today are Ashir Malhotra and Vitor Ventura,
both security researchers with Cisco Talos.
The research we're discussing today is titled
Operation Celestial Force Employs Mobile and Desktop Malware
to Target Indian Entities.
It's kind of with our own research, but we also engage a lot in the community. And this is kind of the outcome of that collaboration with the community also.
We've been tracking this campaign since about 2018,
which is when we first published about a specific malware strain that was used in this campaign as well.
That's a sheer Malhotra.
We've seen sporadic instances of different vendors
publishing stuff about this campaign.
But recently we found some information that tied everything together
and which is what warranted the publication.
Yeah. Well, I mean, let's go through it together here.
Can you give us a bit of the backstory?
When did this threat actor originally come to folks' attention and what were they up to?
Sure. So we've seen this threat actor use a variety of malware families.
One of them is called Gravity Rat.
And we believe that Gravity Rat is almost exclusively used by this threat actor called Cosmic Leopard. And we've been tracking GravityRat and its evolution since 2018.
And most recently, what happened was we've been tracking GravityRat and we've been tracking
another malware family, which is basically a malware loader called HeavyLift. And most recently,
we found another component in the campaign, which is
called Gravity Admin. And it's basically an administrative panel. It's an EXE that you
double-click and it opens up an administrative panel that allows you to administer all the
different infections and all the different campaigns that are being conducted in this
operation. And that is what really caught our eye. And we were like, okay, so this brings everything together.
And this is the panel binary that is distributed
to malicious operators belonging to Cosmic Leopard.
And they use this panel binary to actually administer infections
and push out new malware and run commands on infected systems
and steal documents from there and information from there
and so on and so forth.
I think it's important to add that...
That's Vitor Ventura.
When we talk about Cosmic Leopard, and this may seem like, okay, this is a new actor that
we are trying to push.
It's important to add that we actually did this because there are multiple overlaps between
this group and other groups.
multiple overlaps between this group and other groups.
And we didn't want to just assign this cluster of activity
to a single group like Sidewinder. And so we decided to, okay, we should develop this,
put this in a specific class that in the future,
while we do more research, we are able to either
tear it apart into its subcomponents
and split it into the known groups,
or we may just reach the conclusion
that this is actually just an umbrella group
that has several operators beneath it.
And hence, that's why we decided
to go with this new name for it,
because for us, it's important to be accurate
in the attribution when it's done.
And we didn't want to use attribution
that is known in the field,
but still with a lot of gaps to fill.
So it was more important to get this new name
and in the future be able to split the activity
or not in the cluster through the other actors
that are known right now.
Yeah, that's an interesting insight.
I mean, is it fair to say that this represents
kind of a check-in of a journey
that is continuing along the way?
That this isn't a conclusion of something?
This is where you think we are at this moment?
Oh, definitely.
This is just the beginning.
So this campaign is coming from 2018. But the cluster of activity, it's probably older than that with other campaigns. So between this and Trespass Tribe, we need to be able to distinguish the several actors because just like we as defenders don't stay the same over time,
the attackers don't stay the same over time.
There are always, especially when they are
related with,
when they are state-sponsored,
they will evolve accordingly with
the needs
and the political
situation of those
countries. So it should be
common for us to update these kind of descriptions over time.
And this has been going since 2018.
There are older campaigns.
So we cannot stay with the same definition
of that group over this amount of time
because things change on their side also.
And because we are not absolutely sure,
we want to be able to have a cluster of activity that we tie to those two groups with different overlaps that are not 100% overlap on neither of them.
But maybe in the future, we'll be able to get information that will allow us to say, look, this is the evolution of that group.
Or this group has merged with another group and now we have something new.
Or there has always been some kind of umbrella over these subgroups.
Because there will be different teams
with different objectives.
And we have seen this on groups related with other countries
like Lazarus Group with North Korea.
There's a huge amount of subgroups under that umbrella.
So we should allow us to have the same flexibility
on other groups in other
which we associate with other geographies.
Yeah.
Well, I mean, let's talk about Operation
Celestial Force then. What is
the spectrum of things that you
all are putting under this particular umbrella?
So it's basically
activity that consists
of everything. Initiating contact
with a potential target,
talking to them over social media channels, establishing trust, turning a target into a victim by sending them malware and getting them to infect themselves.
And once they're infected, then the threat actors start their operations, malicious operations on the box that has been infected. and they try to steal data from that specific box or that system. And they try to establish long-term persistent access to individuals or entities that they feel are of high value to the operators.
So it's an entire spectrum of activities from the very start to the very end.
And this consists of also deploying new malware, stealing data, whatnot.
Everything that falls under the spectrum
of an APT or an espionage-focused group
is what Cosmic Leopard intends to do.
We'll be right back.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Well, can we walk through it together? What a typical process would look like here? I mean,
if I were someone that this group was interested in, what would be their initial way of gaining access?
So they would typically establish contact with their targets.
They would identify who their targets are and who are potential victims of these high-value
targets.
And then they would start talking to these people over social media channels or even
over instant messaging apps, right?
And they will slowly and slowly build trust with them.
We have seen a lot of Chinese,
sorry, a lot of Pakistani nexus of threat actors
use honey traps.
They pretend to be women
and they pretend to honey trap their targets as well.
And then ultimately they serve them malware.
And once the malware is served
and they're tricked into executing it on their system,
that's it, boom, that's all they need.
And then the threat actors will use that malware to perform reconnaissance,
to figure out whether the victim or the system that has been infected
is actually worth their time and effort.
And if it is, then they will slowly sit down and they will go through the entire system
and try to see what is of value to them that they can find on the system
that can be used towards the political and tactful objectives
of the nation state, essentially.
I would just add in this case also,
we saw really well done web pages about cloud drives,
being that one was called Cloudy,
there was the other one which was ZCloud,
if I'm not mistaken.
And the sites were well done.
The effort put into making a believable website was good,
to the point that we were talking with technology partners of ours,
and they were telling us, well, maybe that's not malicious.
And we had to actually, because it didn't look malicious, it was really well done.
And on the other side, the features of those kind of applications for Android in this specific case,
they were there. You could actually upload files and store files, like on any other cloud-based storage,
like, I don't know, any of those, the traditional ones.
So in a sense, of course, those were malicious applications.
Those were malicious sites which have been taken down.
But they went to the effort of making it well done
and making them believable like legitimate applications,
which didn't happen in the past.
In the past, you would go through all this process of honey trapping
and convincing the victim to install something.
And when the victim would install something,
it would get an error saying,
oh, it's not compatible with your system or something like that.
And then it would still be installed and running.
Of course, it was malware,
but it would send the user the message that it was not working. It was something that didn't work. But in this case, no. In this
case, really everything would work, but on top of that, it would have an extra layer
of malware, basically.
So I suppose, I mean, that's a way to buy the threat actors a little more time because
they're not raising those suspicions. If I think I'm using an online cloud service
and it works as an online cloud service,
I'm less likely to throw up an alarm, right?
Exactly.
Think about it this way.
If me as a threat actor can get you to upload your files
voluntarily to my service,
I don't really need to make malware, right?
I just need to trick you into saying that,
hey, this is a new cloud service.
Can you use this?
And if you're the one who's uploading all your documents
and all your stuff over there,
I don't really have to put in any more efforts, right,
to steal stuff from your computer.
What do you think folks should know
about what's going on behind the scenes
in terms of the technical tools
that they're making use of here?
Is this a lot of custom things? Are these off-the-shelf elements or a mix of the technical tools that they're making use of here? Is this a lot of custom things?
Are these off-the-shelf elements or a mix of the two?
In this case, as I was saying before,
these were well-made custom things.
So this is not a spy note malware for Android
that was rebuilt or reshaped to look into that. This
is malware that was read from the ground, from them, that is completely integrated with the
backend to look normal. I would say that even on the Windows side, and correct me if I'm mistaken
this year, they went through a lot of effort of making something that is portable, that would run both on Windows and on Mac OS.
Even though we didn't see any Mac OS samples per se, the samples that we had for Windows
had code that would run on Mac OS also.
And we could see that that existed.
So this kind of multi-platform does require some custom-made stuff,
and especially the Windows part.
And on one side, because it's multi-platform,
on the other side, because it's really well done to seem like a regular service.
So I would say that they went through a big effort
to make their own tools.
And again, they are not copying the groups that we would know usually.
So there is some level of customization on their part.
And that's why we don't have that many overlaps
and we went through a new name for the cluster of activity, basically.
And also our assessment that these are customized tools
is supported by the panel binary, also known as Gravity Admin.
Usually when there is commodity malware
or when there is off-the-shelf malware involved,
it comes with an administrative panel that's pre-built.
However, gravity admin in this case,
which is the panel binary,
looks like it's been custom built in.NET
and, you know, it reaches out to specific
command and control URLs for specific campaigns,
you know, that are codenamed inside of the binary as well.
So that, you know, gives strength to our assessment that all of this is custom built and has been evolved
over a period of multiple years since 2018.
You mentioned earlier that they're focused on victims in India.
And so that means we're highly confident, I suppose, that this is coming from Pakistan.
So that means we're highly confident, I suppose, that this is coming from Pakistan.
Well, yes, we've seen indications that this is operated by a Pakistani nexus of APT threat actors. We have also seen that a lot of their TTPs, a lot of their tool techniques and procedures and tactics match with existing Pakistani APT groups,
such as transparent tribe and side copy.
And some of the techniques are very, very typical of that.
It's almost as if these guys have learned
from existing transparent tribe operations
or from existing side copy operations.
And then they've built their own operations slowly and slowly
and matured their own malware families
and their suit of tools.
I see. And what specifically do they seem to be after here?
I mean, are they targeting specific groups, specific areas, or is it broad general espionage?
I would say that we need to think of this as an espionage operation.
I would say that we need to think of this as an espionage operation.
And by saying this, what I mean is an espionage group are usually tasked with something.
And they might just start by getting the capability and they have the access and they will just wait for something that is requested from them.
So in this case, if they have a broad victimology,
and if something is tasked from them,
if something is asked from them,
they will already have the access.
And this is the typical way that espionage groups work.
Sometimes they may have some kind of vertical
or something specific that they're after,
which we have seen with other groups in other regions.
But in this specific case,
I would say that they work much more like
a traditional espionage operation where they were tasked to get access
and they might just be waiting for orders or just collecting data.
And when someone asks something, they already have it.
One of the two.
It's not highly specific or generic.
one of the two. It's not highly specific or generic. It's really more like a traditional
espionage operation. By the way, at the beginning, I got the name wrong for the group. I said Site Wander, it was Site Copy. Okay. Fair enough. So all those people who are furiously getting ready to write you a nasty email,
just hold off, right?
Even worse, they can just start a storm on Twitter.
There you go.
Yes, yes.
Oh, my goodness.
So what are your recommendations then for folks to best protect themselves
against this particular threat actor? How should they go about that?
Well, I would go with a lot of this is about the traditional
thing. So this group, the groups on this Pakistani
nexus have used zero days before, and there are some indications that they
have used exploits before. But in this specific case, we didn't
find any exploitation being used.
So this brings us back to,
on the mobile side,
don't install anything outside
the normal application stores.
Being Google in this specific case.
So use the traditional application store.
It's not to say that they are 100% bulletproof.
There have been cases in the past where they were not,
but it's the best thing we have
and that's what we need to rely on.
And quite frankly, it hasn't happened for a long time.
So I would say that it's getting way, way, way better
than at the beginning.
The other thing is when we talk about Windows and laptops,
which it's a little different,
I would say that we need to have good endpoint control.
For organizations where their endpoints need to be controlled,
you need to have endpoint protection.
But not only that, we have seen more and more and more
attacks being done with credential stealing.
And with that, you must have multi-factor authentication
to prevent the usage of those credentials.
Just like you need to have stuff where you can understand where your telemetry is going,
understand which kind of sites are being accessed, which kind of DNS is being resolved.
All of that helps in a multi-layer approach for the security.
One thing I always say is that we cannot say that the users will click on stuff.
It's a human thing. the users will click on stuff. It's a human thing.
They will always click on stuff.
And I always say, if you get into a room
where you have a table and you have a box open,
but you cannot see the content,
what will you do as soon as you enter that room?
You will look into the box.
Everyone does that.
It's human nature.
So we cannot ask people not to click on links.
We can ask them, but we cannot rely that they won't do it because it's human nature. So we cannot ask people not to click on links. We can ask them, but we cannot rely that they won't do it because it's human nature.
What we need to do as security professionals is to make
the consequences of that happening way, way lower. And for that
you need to control the endpoint, you need to have multi-factor authentication, you need to have DNS
control. That's what we can do.
As an individual, we should be careful
with all of these, as I said. But in the end,
corporations and organizations, that's what they can do.
All right. Any
final thoughts, Ashir?
Just one thought. If you
give somebody a USB drive, they will plug it
into your computer.
I
think of often, you know, every now
and then, we've probably all been in that situation where you're in a building or something,
and maybe an industrial facility, and there's a big red button on the wall that says,
do not press, right?
And it is so hard to not press the button.
What's the worst that could happen, right?
Right.
Well, you can shut down a whole data center.
I've seen it happen.
It's not good.
It's not pretty.
And that's Research Saturday, brought to you by N2K CyberWire.
Our thanks to Ashir Malhotra and Vittor Ventura
from Cisco Talos for joining us.
The research is titled
Operation Celestial Force
employs mobile and desktop malware
to target Indian entities.
We'll have a link in the show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.