You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Hello everyone and welcome to the Cyberwire's Research Saturday. I'm Dave Bitner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. Basically this is part of a long term of research that we have done on this actor-naxxis that has been targeting India and in this specific case it's also the fruit of our reach out to the community and it was actually another researcher that came to us that he had some information about these kind of operations and we partnership with him in order to make this research. Our guests today are Ashir Mahultra and Vitor Ventura. Both security researchers with Cisco Talos, the research we're discussing today is titled Operation Celestial Force employs mobile and desktop malware to target Indian entities. It's kind of with our own research but we also engage a lot in the community and this is kind of the outcome of that collaboration with the community also. We've been tracking this campaign since about 2018 which is when we first published about a specific malware strain that was used in this campaign as well. That's Ashir Mahultra. We see sporadic instances of different vendors publishing stuff about this campaign but recently we found some information that tied everything together and which is what warranted the publication. Yeah. Well, I mean let's go through it together here, can you give us a bit of the backstory, when did this threat actor originally come to folks attention and what were they up to? Sure, so we've seen this threat actor use a variety of malware families. One of them is called Gravity Rat and we believe that Gravity Rat is almost exclusively used by this threat actor called Cosmic Leopard and we've been tracking Gravity Rat and its evolution since 2018. Most recently what happened was we've been tracking Gravity Rat and we've been tracking another malware family which is basically a malware loader called Heavy Lift. Most recently we found another component in the campaign which is called Gravity Admin and it's basically an administrative panel. It's an EXE that you double click and it opens up an administrative panel that allows you to administer all the different infections and all the different campaigns that are being conducted in this operation and that is what really caught our eye and we were like, "Okay, so this brings everything together and you know, this is the panel binary that is distributed to malicious operators belonging to Cosmic Leopard and they use this panel binary to actually administer infections and push out new malware and run commands on infected systems and steal documents from there and information from there and so on and so forth." I think it's important to add that that's Vitor Vantura. When we talk about Cosmic Leopard and this may seem like, "Okay, this is a new actor that we are trying to push," it's important to add that we actually did this because there are multiple overlaps between this group and other groups and we didn't want to just assign this cluster of activity to a single group like a side winder. So we decided to, "Okay, we should develop this, put this in a specific class that in the future while we do more research, we are able to either tear it apart into its sub-components and spread it into the known groups or we may just reach the conclusion that this is actually just an umbrella group that has several operators beneath it and hence that's why we decided to go with this new name for it because for us it's important to be accurate in the attribution when it's done and we didn't want to use attribution that is known in the field but still with a lot of gaps to fill. So it was more important to get this new name and in the future be able to split the activity or not in the cluster through the other actors that are known right now. Yeah, that's an interesting insight, I mean, is it fair to say that this represents kind of a check-in of a journey that is continuing along the way, that this isn't a conclusion of something, this is where you think we are at this moment? Oh, definitely this is just the beginning. So this campaign is coming from 2018 but the cluster of activity, it's probably older than that with other campaigns. So between this and the restaurant tribe we need to be able to distinguish the several actors because just like we as defenders don't stay the same over time, the attackers don't stay the same over time. There are always, especially when they are related with, when they are state sponsored, they will evolve accordingly with the needs and the political situation of those countries. So it should be common for us to update this kind of descriptions over time. And this has been going from since 2018, there are older campaigns. So we cannot stay with the same definition of that group over this amount of time because things change on their side also. And because we are not absolutely sure, we want to be able to have a cluster of activity that we tie to those two groups with different overlaps that are not 100% of all up on neither of them. But maybe in the future we'll be able to get information that allows us to say, look, this is the evolution of that group or this group has merged with another group and now we have something new or there are always been some kind of umbrella over these subgroups because there will be different teams with different objectives. And we have seen this on groups related with other countries like Lazarus Group with North Korea. There's a huge amount of subgroups under that umbrella. So we should be able to, we should allow us to have the same flexibility on other groups in other which we associate with other geographies. Yeah. Well, I mean, let's talk about operations celestial force then. What is the spectrum of things that you all are putting under this particular umbrella? So it's basically activity that consists of everything, initiating contact with a potential target, talking to them over social media channels, establishing trust, turning a target into a victim by sending them malware and getting them to infect themselves. And once they're infected, then the threat actors start their operations, malicious operations on the box that has been infected and they try to steal data from that specific box. So that's system and they try to establish long-term persistent access to individuals or entities that they feel are of high value to the operators. So it's an entire spectrum of activities from the very start to the very end. And this consists of also deploying new malware, stealing data, whatnot, everything that falls under the spectrum of an APT or an espionage focused group is what cosmic leopard intends to do. We'll be right back. And now a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank no before for sponsoring our show. Well, can we walk through it together? What a typical process would look like here? I mean, if I were someone that this group was interested in, what would be their initial way of gaining access? So they would typically establish contact with their targets. They would identify who their targets are and who are potential victims of this high-value targets. And then they would start talking to these people over social media channels or even over instant messaging apps, right? And they will slowly and slowly build trust with them. We have seen a lot of Chinese, sorry, a lot of Pakistani nexus of threat actors use honey traps. They pretend to be women and they pretend to honey trap their targets as well. And then ultimately they serve them malware. And once the malware is served and they're tricked into executing it on their system, that's it. Boom, that's all they need. And then the threat actors will use that malware to perform reconnaissance, to figure out whether the victim or the system that has been infected is actually worth their time and effort. And if it is, then they will slowly sit down and they will go through the entire system and try to see what is of value to them that they can find on the system, that they can be used towards the political and tactful objectives of the nation state, essentially. I would just add, in this case also, we saw really well done web pages about cloud drives, being that one was called the quality, there was the other one, which was ZCloud, if I'm not mistaken. And the sites were well done, the effort put into making a believable website was good, to the point that we were talking with a technology partner of ours. And they were telling us, well, maybe that's not malicious. And we had to actually, because it didn't look malicious, it was really well done. And on the other side, the features of those kind of applications for Android and this specific, they were there, you could actually upload files and store files, like on any other cloud-based storage, like, I don't know, any of those, the traditional ones. So in a sense, of course, those were malicious applications, those were malicious sites which have been taken down, but they were really, they went to the effort of making it well done and making them believable, like, legitimate applications, which didn't happen in the past. In the past, you would go through all this process of honey trapping and convincing the victim to install something. And when the victim would install something, it would get an error saying, oh, it's not compatible with your system or something like that. And then it would still be installed and running, of course, it was malware. But it would send the user the message that it was not working. It was something that didn't work. Right. But in this case, no, in this case, it really, everything would work. But on top of that, it would have an extra layer of malware, basically. So I suppose, I mean, that's a way to buy the threat actors a little more time because they're not raising those suspicions. So when, you know, if I think I'm using an online cloud service and it works as a online cloud service, I'm less likely to throw up an alarm, right? Exactly. Think about it this way. Like, if me as a threat actor can get you to upload your files voluntarily to my service, I don't really need to make malware, right? Like, I just need to trick you into saying that, hey, this is a new cloud service. Can you use this? And if you're the one who's uploading all your documents and all your stuff over there, I don't really have to put in any more efforts, right, to steal stuff from your computer. What do you think folks should know about what's going on behind the scenes in terms of the technical tools that they're making use of here? Is this a lot of custom things or are these off-the-shelf elements or a mix of the two? In this case, as I was telling, as I was saying before, these were well-made custom things. So this is not a, I don't know, a spy node malware for Android. That was rebuilt or really reshaped to look into that. That this is malware that was right from the ground from them that is completely integrated with them, with the back end to look normal. I would say that even on the Windows side, and correct me if I'm mistaken to share, they went through a lot of effort of making something that is portable, that would run both on Windows and on Mac OS. Even though we didn't see any Mac OS samples per se, the samples that we had for Windows had the code that would run on Mac OS also. And we could see that that existed. So this kind of multi-platform does require some custom-made stuff, and especially the Windows part. And on one side, because it's multi-platform on the other side, because it's really well done to seem like a regular service. So I would say that they went through a big effort to make their own tools and that, again, they are not copying the groups that we would know usually. So there is some level of customization on their part and that's why we don't have that many overlaps and we went through a new name for the cluster of activity, basically. And also our assessment that these are customized tools is supported by the panel binary, also known as gravity admin. Usually, when there is commodity malware or when there is off-the-shelf malware involved, it comes with an administrative panel that's pre-built. However, gravity admin in this case, which is the panel binary, looks like it's been custom-built in .NET, and it reaches out to specific command and control URLs for specific campaigns that are codenamed inside of the binary as well. So that gives strength to our assessment that all of this is custom-built and has been evolved over a period of multiple years since 2018. You mentioned earlier that they're focused on victims in India, and so that means we are highly confident, I suppose, that this is coming from Pakistan. Well, yes. We've seen indications that this is operated by a Pakistani nexus of APT threat actors. We have also seen that a lot of their TTPs, a lot of their tool techniques and procedures and tactics match with existing Pakistani APT groups, such as transparent tribe and side copy, and some of the techniques are very, very typical of that. It's almost as if these guys have learned from existing transparent tribe operations or from existing side copy operations, and then they've pitched their own operations slowly and slowly and matured their own malware families and their sort of tools. I see. And what specifically do they seem to be after here? Are they targeting specific groups, specific areas, or is it broad general espionage? I would say that we need to think of this as an espionage operation. And by saying this, what I mean is you, an espionage group, are usually tasked with something, and they might just start by getting the capability and they have the access, and they will just wait for something that is requested from them. So in this case, if they have a broad and victimology, and if something is tasked from them, if something is asked from them, they will already have the access. And this is the typical way that espionage groups work. Sometimes they may have some kind of vertical or something specific that they're after, which we have seen with other groups in other regions. But in this specific case, I would say that they work much more like a traditional espionage operation where they were tasked to get access, and they might just be waiting for orders, or just collecting data, and when someone asks something, they already have it. One of the two, it's not a highly specific or generic. They have really, it's really more like a traditional espionage operation. By the way, at the beginning, I got the name wrong for the group. I said site one that it was site copy. Okay. Just a note. Fair enough. So all those people who are furiously getting ready to write you a nasty email, just hold off, right? Well, even worse, they can just start to storm on Twitter. There you go, yes, oh my goodness. So what are your recommendations then for folks to best protect themselves against this particular threat actor? How should they go about that? Well, I would go with a lot of this is about the traditional thing. So this group, the groups on this Pakistani Nexus have used zero days before, and there are some indication that they have used exploits before. But in this specific case, we didn't find any exploitation being used. So this brings us back to, on the mobile side, don't install anything outside the normal application stores being Google in this specific case. So use the traditional application store. It's not to say that they are 100% bulletproof. There have been cases in the past where they were not. But it's the best thing we have, and that's what we need to rely on. And quite frankly, it hasn't happened for a long time. So I would say that it's getting way, way, way better at the beginning. The other thing is when we talk about windows and laptops, which it's a little different, I would say that we need to have good endpoint control for organizations where their endpoints need to be controlled. You need to have endpoint protection. But not only that, we have seen more and more and more attacks being done with credential stealing. And with that, you must have multifactor authentication to prevent the usage of those credentials, just like you need to have stuff where you can understand where your telemetry is going, understand which kind of sites are being accessed, which kind of DNS is being resolved. All of that helps in a multilayer approach for security. One thing I always say is that we cannot say that the users will click on stuff. It's human thing. They will always click on stuff. And I always say, if you get into a room where you have a table and you have a box open, but you cannot see the content, what will you do as soon as you enter that room? You will look into the box. Everyone does that. It's human nature. So we cannot ask people, not to click on links. We can ask them, but we cannot rely that they won't do it because it's human nature. What we need to do as security professionals is to make the consequences of that happening way, way lower. And for that, you need to control the endpoint. You need to have multifactor authentication, you need to have DNS control. That's what we can do. As an individual, well, we should be careful with all of these, as I said. In the end, corporations and organizations, that's what they can do. All right. Any final thoughts this year? Just one thought. If you give somebody a USB drive, they will plug it into your computer. I think of often, you know, every now and then, we've probably all been in the situation where you're in a building or something and maybe an industrial facility. And there's a big red button on the wall that says do not press, right? And it is so hard to not press the button. What's the worst that could happen, right? Right. Well, you can't shut down the whole day at the center. I've seen that happen. It's not a treaty. And that's Research Saturday brought to you by N2K Cyberwire. Thanks to a sheer Mahultra and Vitor Ventura from Cisco Talos for joining us. The research is titled Operation Celestial Force, employs mobile and desktop malware to target Indian entities. We'll have a link in the show notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@N2K.com. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iben. Our executive editor is Brandon Carp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. This is the first time we've ever seen. [music] (gentle music)
