Operation Ghost: The Dukes aren’t back – they never left | WeLiveSecurity

Operation Ghost: The Dukes aren’t back – they never left

ESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new malware families

ESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new malware families

The Dukes (aka APT29 and Cozy Bear) have been in the spotlight after their suspected involvement in the breach of the Democratic National Committee in the run-up to the 2016 US elections. Since then, except for a one-off, suspected comeback in November 2018, with a phishing campaign targeting several US-based organizations, no activity has been confidently attributed to the Dukes. This left us thinking that the group had stopped its activities.

This held true until recent months, when we uncovered three new malware families that we attribute to the Dukes – PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest observed sample being deployed in June 2019. This means the Dukes have been quite active since 2016, developing new implants and compromising high-value targets. We call these newly uncovered Dukes activities, collectively, Operation Ghost.

Timeline and victimology

We believe Operation Ghost started in 2013 and it is still ongoing as of this writing. Our research shows that the Ministries of Foreign Affairs in at least three different countries in Europe are affected by this campaign. We have also discovered an infiltration by the Dukes at the Washington, DC embassy of a European Union country.

One of the first public traces of this campaign is to be found on Reddit in July 2014. Figure 1 shows a message posted by the attackers. The strange string using an unusual character set is the encoded URL of a C&C server used by PolyglotDuke.

Figure 1. Reddit post containing an encoded Command & Control URL

Figure 2 presents the timeline of Operation Ghost. As it is based on ESET telemetry, it might be only a partial view of a broader campaign.

Figure 2. Timeline of Operation Ghost

Attribution to the Dukes

On one hand, we noticed numerous similarities in the tactics of this campaign to those from previously documented ones, such as the use of:

  • Twitter (and other social websites such as Reddit) to host C&C URLs
  • steganography in images to hide payloads or C&C communications
  • Windows Management Instrumentation (WMI) for persistence

We also noticed important similarities in the targeting:

  • all the known targets are Ministries of Foreign Affairs.
  • known targeted organizations were previously compromised by other Dukes malware such as CozyDuke, OnionDuke or MiniDuke.
  • on some machines compromised with PolyglotDuke and MiniDuke, we noticed that CozyDuke was installed only a few months before.

However, an attribution based only on the presence of known Dukes tools on the same machines should be taken with a grain of salt. We also found two other APT threat actors – Turla and Sednit – on some of the same computers.

On the other hand, we found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.

PolyglotDuke (SHA-1: D09C4E7B641F8CB7CC86190FD9A778C6955FEA28) uses a custom encryption algorithm to decrypt the strings used by the malware. We found functionally equivalent code in an OnionDuke sample (SHA-1: A75995F94854DEA8799650A2F4A97980B71199D2) that was documented by F-Secure in 2014. It is interesting to note that the value used to seed the srand function is the compilation timestamp of the executable. For instance, 0x5289f207 corresponds to Mon 18 Nov 2013 10:55:03 UTC.

The IDA screenshots in Figure 3 show the two similar functions.

Figure 3. Comparison of a custom string encryption function found in PolyglotDuke (on the left) and in OnionDuke (on the right) samples from 2013

Further, recent samples of the MiniDuke backdoor bear similarities with samples documented more than five years ago. Figure 4 is the comparison of a function in a MiniDuke backdoor listed by Kaspersky in 2014 (SHA-1: 86EC70C27E5346700714DBAE2F10E168A08210E4) and a MiniDuke backdoor (SHA-1: B05CABA461000C6EBD8B237F318577E9BCCD6047) compiled in August 2018.

Figure 4. Comparison of the same function in MiniDuke from 2014 (on the top) and in MiniDuke from 2018 (on the bottom)

Given the numerous similarities between other known Dukes campaigns and Operation Ghost, especially the strong code similarities, and the overlap in time with previous campaigns, we assess with high confidence that this operation is run by the Dukes.

Updated tools and techniques

In Operation Ghost, the Dukes have used a limited number of tools, but they have relied on numerous interesting tactics to avoid detection.

First, they are very persistent. They steal credentials and use them systematically to move laterally on the network. We have seen them using administrative credentials to compromise or re-compromise machines on the same local network. Thus, when responding to a Dukes compromise, it is important to make sure to remove every implant in a short period of time. Otherwise, the attackers will use any remaining implant to compromise the cleaned systems again.

Second, they have a sophisticated malware platform divided into four stages:

  • PolyglotDuke, which uses Twitter or other websites such as Reddit and Imgur to get its C&C URL. It also relies on steganography in images for its C&C communication.
  • RegDuke, a recovery first stage, which uses Dropbox as its C&C server. The main payload is encrypted on disk and the encryption key is stored in the Windows registry. It also relies on steganography as above.
  • MiniDuke backdoor, the second stage. This simple backdoor is written in assembly. It is very similar to older MiniDuke backdoors.
  • FatDuke, the third stage. This sophisticated backdoor implements a lot of functionalities and has a very flexible configuration. Its code is also well obfuscated using many opaque predicates. They re-compile it and modify the obfuscation frequently to bypass security product detections.

Figure 5 is a summary of the malware platform of Operation Ghost.

Figure 5. Summary of Operation Ghost malware platform

Third, we also noticed that the operators avoid using the same C&C network infrastructure between different victim organizations. This kind of compartmentalization is generally only seen by the most meticulous attackers. It prevents the entire operation from being burned when a single victim discovers the infestation and shares the related network IoCs with the security community.

Conclusion

Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying. The Dukes were able to fly under the radar for many years while compromising high‑value targets, as before.

A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper and on GitHub.

For a detailed analysis of the backdoor, refer to our white paper. For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.

MITRE ATT&CK techniques

TacticIDNameDescription
Initial AccessT1193Spearphishing AttachmentThe Dukes likely used spearphishing emails to compromise the target.
T1078Valid AccountsOperators use account credentials previously stolen to come back on the victim's network.
ExecutionT1106Execution through APIThey use CreateProcess or LoadLibrary Windows APIs to execute binaries.
T1129Execution through Module LoadSome of their malware load DLL using LoadLibrary Windows API.
T1086PowerShellFatDuke can execute PowerShell scripts.
T1085Rundll32The FatDuke loader uses rundll32 to execute the main DLL.
T1064ScriptingFatDuke can execute PowerShell scripts.
T1035Service ExecutionThe Dukes use PsExec to execute binaries on remote hosts.
PersistenceT1060Registry Run Keys / Startup FolderThe Dukes use the CurrentVersion\Run registry key to establish persistence on compromised computers.
T1053Scheduled TaskThe Dukes use Scheduled Task to launch malware at startup.
T1078Valid AccountsThe Dukes use account credentials previously stolen to come back on the victim's network.
T1084Windows Management Instrumentation Event SubscriptionThe Dukes used WMI to establish persistence for RegDuke.
Defense EvasionT1140Deobfuscate/Decode Files or InformationThe droppers for PolyglotDuke and LiteDuke embed encrypted payloads.
T1107File DeletionThe Dukes malware can delete files and directories.
T1112Modify RegistryThe keys used to decrypt RegDuke payloads are stored in the Windows registry.
T1027Obfuscated Files or InformationThe Dukes encrypts PolyglotDuke and LiteDuke payloads with custom algorithms. They also rely on known obfuscation techniques such as opaque predicates and control flow flattening to obfuscate RegDuke, MiniDuke and FatDuke.
T1085Rundll32The FatDuke loader uses rundll32 to execute the main DLL.
T1064ScriptingFatDuke can execute PowerShell scripts.
T1045Software PackingThe Dukes use a custom packer to obfuscate MiniDuke and FatDuke binaries. They also use the commercial packer .NET Reactor to obfuscate RegDuke.
T1078Valid AccountsThe Dukes use account credentials previously stolen to come back on the victim's network.
T1102Web ServicePolyglotDuke fetches public webpages (Twitter, Reddit, Imgur, etc.) to get encrypted strings leading to new C&C. server. For RegDuke, they also use Dropbox as a C&C server.
DiscoveryT1083File and Directory DiscoveryThe Dukes can interact with files and directories on the victim's computer.
T1135Network Share DiscoveryThe Dukes can list network shares.
T1057Process DiscoveryThe Dukes can list running processes.
T1049System Network Connections DiscoveryThe Dukes can execute commands like net use to gather information on network connections.
Lateral MovementT1077Windows Admin SharesThe Dukes use PsExec to execute binaries on a remote host.
CollectionT1005Data from Local SystemThe Dukes can collect files on the compromised machines
T1039Data from Network Shared DriveThe Dukes can collect files on shared drives.
T1025Data from Removable MediaThe Dukes can collect files on removable drives.
Command and ControlT1090Connection ProxyThe Dukes can communicate to the C&C server via proxy. They also use named pipes as proxies when a machine is isolated within a network and does not have direct access to the internet.
T1001Data ObfuscationThe Dukes use steganography to hide payloads and commands inside valid images.
T1008Fallback ChannelsThe Dukes have multiple C&C servers in case one of them is down.
T1071Standard Application Layer ProtocolThe Dukes are using HTTP and HTTPS protocols to communicate with the C&C server.
T1102Web ServicePolyglotDuke fetches public webpages (Twitter, Reddit, Imgur, etc.) to get encrypted strings leading to new C&C server. For RegDuke, they also use Dropbox as a C&C server.
ExfiltrationT1041Exfiltration Over Command and Control ChannelThe Dukes use the C&C channel to exfiltrate stolen data.

Discussion