Operation Ghost: The Dukes aren’t back – they never left

ESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new malware families

(Editor’s note: contributed blogs like this are part of ChannelBuzz.ca’s annual sponsorship program. Find out more here. This article was originally posted to the ESET site We Live Security by ESET Research.)

The Dukes (aka APT29 and Cozy Bear) have been in the spotlight after their suspected involvement in the breach of the Democratic National Committee in the run-up to the 2016 US elections. Since then, except for a one-off, suspected comeback in November 2018, with a phishing campaign targeting several US-based organizations, no activity has been confidently attributed to the Dukes. This left us thinking that the group had stopped its activities.

This held true until recent months, when we uncovered three new malware families that we attribute to the Dukes – PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest observed sample being deployed in June 2019. This means the Dukes have been quite active since 2016, developing new implants and compromising high-value targets. We call these newly uncovered Dukes activities, collectively, Operation Ghost.

Timeline and victimology

We believe Operation Ghost started in 2013 and it is still ongoing as of this writing. Our research shows that the Ministries of Foreign Affairs in at least three different countries in Europe are affected by this campaign. We have also discovered an infiltration by the Dukes at the Washington, DC embassy of a European Union country.

One of the first public traces of this campaign is to be found on Reddit in July 2014. Figure 1 shows a message posted by the attackers. The strange string using an unusual character set is the encoded URL of a C&C server used by PolyglotDuke.

Figure 1. Reddit post containing an encoded Command & Control URL

Figure 2 presents the timeline of Operation Ghost. As it is based on ESET telemetry, it might be only a partial view of a broader campaign.

Figure 2. Timeline of Operation Ghost

Attribution to the Dukes

On one hand, we noticed numerous similarities in the tactics of this campaign to those from previously documented ones, such as the use of:

  • Twitter (and other social websites such as Reddit) to host C&C URLs
  • steganography in images to hide payloads or C&C communications
  • Windows Management Instrumentation (WMI) for persistence

We also noticed important similarities in the targeting:

  • all the known targets are Ministries of Foreign Affairs.
  • known targeted organizations were previously compromised by other Dukes malware such as CozyDuke, OnionDuke or MiniDuke.
  • on some machines compromised with PolyglotDuke and MiniDuke, we noticed that CozyDuke was installed only a few months before.

However, an attribution based only on the presence of known Dukes tools on the same machines should be taken with a grain of salt. We also found two other APT threat actors – Turla and Sednit – on some of the same computers.

On the other hand, we found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.

PolyglotDuke (SHA-1: D09C4E7B641F8CB7CC86190FD9A778C6955FEA28) uses a custom encryption algorithm to decrypt the strings used by the malware. We found functionally equivalent code in an OnionDuke sample (SHA-1: A75995F94854DEA8799650A2F4A97980B71199D2) that was documented by F-Secure in 2014. It is interesting to note that the value used to seed the srand function is the compilation timestamp of the executable. For instance, 0x5289f207 corresponds to Mon 18 Nov 2013 10:55:03 UTC.

The IDA screenshots in Figure 3 show the two similar functions.

Figure 3. Comparison of a custom string encryption function found in PolyglotDuke (on the left) and in OnionDuke (on the right) samples from 2013

Further, recent samples of the MiniDuke backdoor bear similarities with samples documented more than five years ago. Figure 4 is the comparison of a function in a MiniDuke backdoor listed by Kaspersky in 2014 (SHA-1: 86EC70C27E5346700714DBAE2F10E168A08210E4) and a MiniDuke backdoor (SHA-1: B05CABA461000C6EBD8B237F318577E9BCCD6047) compiled in August 2018.

Figure 4. Comparison of the same function in MiniDuke from 2014 (on the top) and in MiniDuke from 2018 (on the bottom)

Given the numerous similarities between other known Dukes campaigns and Operation Ghost, especially the strong code similarities, and the overlap in time with previous campaigns, we assess with high confidence that this operation is run by the Dukes.

Updated tools and techniques

In Operation Ghost, the Dukes have used a limited number of tools, but they have relied on numerous interesting tactics to avoid detection.

First, they are very persistent. They steal credentials and use them systematically to move laterally on the network. We have seen them using administrative credentials to compromise or re-compromise machines on the same local network. Thus, when responding to a Dukes compromise, it is important to make sure to remove every implant in a short period of time. Otherwise, the attackers will use any remaining implant to compromise the cleaned systems again.

Second, they have a sophisticated malware platform divided into four stages:

  • PolyglotDuke, which uses Twitter or other websites such as Reddit and Imgur to get its C&C URL. It also relies on steganography in images for its C&C communication.
  • RegDuke, a recovery first stage, which uses Dropbox as its C&C server. The main payload is encrypted on disk and the encryption key is stored in the Windows registry. It also relies on steganography as above.
  • MiniDuke backdoor, the second stage. This simple backdoor is written in assembly. It is very similar to older MiniDuke backdoors.
  • FatDuke, the third stage. This sophisticated backdoor implements a lot of functionalities and has a very flexible configuration. Its code is also well obfuscated using many opaque predicates. They re-compile it and modify the obfuscation frequently to bypass security product detections.

Figure 5 is a summary of the malware platform of Operation Ghost.

Figure 5. Summary of Operation Ghost malware platform

Third, we also noticed that the operators avoid using the same C&C network infrastructure between different victim organizations. This kind of compartmentalization is generally only seen by the most meticulous attackers. It prevents the entire operation from being burned when a single victim discovers the infestation and shares the related network IoCs with the security community.

Conclusion

Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying. The Dukes were able to fly under the radar for many years while compromising high‑value targets, as before.

A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper and on GitHub.

For a detailed analysis of the backdoor, refer to our white paper. For any inquiries, or to make sample submissions related to the subject, contact us at [email protected].

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access T1193 Spearphishing Attachment The Dukes likely used spearphishing emails to compromise the target.
T1078 Valid Accounts Operators use account credentials previously stolen to come back on the victim’s network.
Execution T1106 Execution through API They use CreateProcess or LoadLibrary Windows APIs to execute binaries.
T1129 Execution through Module Load Some of their malware load DLL using LoadLibrary Windows API.
T1086 PowerShell FatDuke can execute PowerShell scripts.
T1085 Rundll32 The FatDuke loader uses rundll32 to execute the main DLL.
T1064 Scripting FatDuke can execute PowerShell scripts.
T1035 Service Execution The Dukes use PsExec to execute binaries on remote hosts.
Persistence T1060 Registry Run Keys / Startup Folder The Dukes use the CurrentVersion\Run registry key to establish persistence on compromised computers.
T1053 Scheduled Task The Dukes use Scheduled Task to launch malware at startup.
T1078 Valid Accounts The Dukes use account credentials previously stolen to come back on the victim’s network.
T1084 Windows Management Instrumentation Event Subscription The Dukes used WMI to establish persistence for RegDuke.
Defense Evasion T1140 Deobfuscate/Decode Files or Information The droppers for PolyglotDuke and LiteDuke embed encrypted payloads.
T1107 File Deletion The Dukes malware can delete files and directories.
T1112 Modify Registry The keys used to decrypt RegDuke payloads are stored in the Windows registry.
T1027 Obfuscated Files or Information The Dukes encrypts PolyglotDuke and LiteDuke payloads with custom algorithms. They also rely on known obfuscation techniques such as opaque predicates and control flow flattening to obfuscate RegDuke, MiniDuke and FatDuke.
T1085 Rundll32 The FatDuke loader uses rundll32 to execute the main DLL.
T1064 Scripting FatDuke can execute PowerShell scripts.
T1045 Software Packing The Dukes use a custom packer to obfuscate MiniDuke and FatDuke binaries. They also use the commercial packer .NET Reactor to obfuscate RegDuke.
T1078 Valid Accounts The Dukes use account credentials previously stolen to come back on the victim’s network.
T1102 Web Service PolyglotDuke fetches public webpages (Twitter, Reddit, Imgur, etc.) to get encrypted strings leading to new C&C. server. For RegDuke, they also use Dropbox as a C&C server.
Discovery T1083 File and Directory Discovery The Dukes can interact with files and directories on the victim’s computer.
T1135 Network Share Discovery The Dukes can list network shares.
T1057 Process Discovery The Dukes can list running processes.
T1049 System Network Connections Discovery The Dukes can execute commands like net use to gather information on network connections.
Lateral Movement T1077 Windows Admin Shares The Dukes use PsExec to execute binaries on a remote host.
Collection T1005 Data from Local System The Dukes can collect files on the compromised machines
T1039 Data from Network Shared Drive The Dukes can collect files on shared drives.
T1025 Data from Removable Media The Dukes can collect files on removable drives.
Command and Control T1090 Connection Proxy The Dukes can communicate to the C&C server via proxy. They also use named pipes as proxies when a machine is isolated within a network and does not have direct access to the internet.
T1001 Data Obfuscation The Dukes use steganography to hide payloads and commands inside valid images.
T1008 Fallback Channels The Dukes have multiple C&C servers in case one of them is down.
T1071 Standard Application Layer Protocol The Dukes are using HTTP and HTTPS protocols to communicate with the C&C server.
T1102 Web Service PolyglotDuke fetches public webpages (Twitter, Reddit, Imgur, etc.) to get encrypted strings leading to new C&C server. For RegDuke, they also use Dropbox as a C&C server.
Exfiltration T1041 Exfiltration Over Command and Control Channel The Dukes use the C&C channel to exfiltrate stolen data.