Russia-linked threat actor APT29 has been successfully avoiding detection for the past three years while compromising multiple government targets, ESET’s security researchers report.
Also known as the Dukes, CozyDuke, and Cozy Bear, the state-sponsored group has been active for over a decade and is believed to have been involved in the 2016 attacks against the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party.
The hackers are believed to have attempted another infiltration into DNC computers in November 2018. The attack employed spear-phishing messages that CrowdStrike and FireEye previously attributed to APT29.
APT29 was named in numerous reports on the hacking ahead of the 2016 U.S. presidential election and the group apparently went silent in early 2017.
According to ESET, however, the hackers actually continued an operation they likely started around six years ago, and which affected the Ministry of Foreign Affairs in at least three different countries in Europe.
In a report published today, ESET’s security researchers detail a sophisticated campaign attributed to the hacking group, which they refer to as Operation Ghost. The attacks have been ongoing since at least 2013, but remained undetected due to stealthy communication techniques and retooling.
As part of the campaign, the hackers used new malware families, namely PolyglotDuke, RegDuke, FatDuke, and LiteDuke, as well as a previously documented backdoor, MiniDuke.
The first-stage malware employed online services such as Twitter, Imgur and Reddit as command and control (C&C) channels, while the use of techniques such as steganography allowed the hackers to hide communication with the C&C.
At least three victims were identified, all European Ministries of Foreign Affairs, including the Washington DC embassy of a European Union country. The most recent activity associated with this campaign was observed in June 2019.
Not only does the targeting fit the APT29 profile, but so do the tactics and tools observed in this campaign: social websites are used to host the C&C, stenography is employed to hide communication, Windows Management Instrumentation (WMI) is leveraged for persistence, and the compromised machines also had other malware associated with the group installed.
While the possibility of a false flag operation exists, the security researchers believe that the campaign was actually run simultaneously with other APT29 attacks, especially since it started at a time when only a small portion of the group’s arsenal was known.
Only a small number of tools were used as part of the campaign, with the sophisticated malware platform divided into four stages: PolyglotDuke (uses online services for C&C), RegDuke (recovery first stage, uses Dropbox as C&C), MiniDuke (second-stage backdoor), and FatDuke (sophisticated third-stage backdoor that has numerous functions and a flexible configuration).
During their investigation, ESET’s researchers also discovered LiteDuke, a previously unknown and apparently retired third-stage backdoor. They also noticed that the hackers avoid using the same C&C network infrastructure between different victims.
The researchers couldn’t identify the initial compromise vector in these attacks, but they did notice that two of the victims had their systems breached by the same threat actor in 2015, suggesting that they might have maintained access over the entire period.
Operation Ghost Malware
The infection process starts with PolyglotDuke, a downloader that fetches the MiniDuke backdoor and which shows similarities with samples from previous APT29 campaigns.
RegDuke is a first-stage implant that the hackers employ when losing control of other implants on the same machine. The malware was designed to remain undetected for as long as possible, to ensure the attackers never lose access to the compromised system.
It includes a loader and a payload that is a backdoor designed to reside in memory only. RegDuke can fetch different file types, including Windows executables, DLLs, and PowerShell scripts. The researchers observed it dropping MiniDuke backdoors and the legitimate Process Explorer utility.
MiniDuke is a second-stage backdoor that shows multiple similarities with earlier versions (the most recent sample was compiled in June 2019) and which is written in pure x86 assembly, although its size is increased a lot due to obfuscation.
The backdoor has 38 different functions and can upload or download files, create processes, get system information (hostname, ID, pipename, HTTP method), get a list of local drives and their type (unk, nrt, rmv, fix, net, cdr, ram, und), read and write in the name pipe, and start and stop the proxy feature.
FatDuke, the current APT29 flagship backdoor, is the third-stage malware that gets deployed on the machines believed to be of highest interest. Mainly delivered via MiniDuke, it may also be dropped using lateral movement tools such as PsExec. Persistence is likely achieved using an earlier stage backdoor.
The hackers are regularly re-packing it to evade detection, with the most recent sample being compiled on May 24, 2019. The researchers witnessed the hackers trying to regain control of a machine several times over the course of a few days and noticed that they used a different sample each time.
FatDuke has a hardcoded configuration, can be controlled remotely using a custom C&C protocol over HTTP or via named pipes on the local network, and features highly obfuscated binaries.
The LiteDuke third-stage backdoor was used between 2014 and 2015 and is not directly linked to Operation Ghost, but the security researchers found it on some machines compromised by MiniDuke. The malware uses SQLite to store information, the same dropper as PolyglotDuke, and the same encryption scheme.
“As we haven’t seen any other threat actor using the same code, we are confident that LiteDuke was indeed part of the Dukes’ arsenal,” ESET notes.
Only the loader is written to disk, while the backdoor code only exists in memory. The backdoor DLL exports seven functions: SendBin, LoadFromCC, SaveToCC, GetDBHandle, GetCCFieldSize, GetCCFieldLn, and DllEntryPoint.
CC stands for Crypto Container, which is a SQLite database stored on the disk in the same directory as the loader. The database contains three different tables and encrypted modules that function as plug-ins for the backdoor.
The malware supports 41 different commands that allow it to upload or download files, securely delete a file by first writing random data (from a linear congruential generator) to the file, update the database (config, modules and objects), create a process, get system information (CPUID, BIOS version, account name, etc.), terminate itself, and more.
“Operation Ghost shows that the Dukes never stopped their espionage activities. They were in the spotlight after the breach of the Democratic National Committee during the 2016 US presidential elections. However, they then recovered from that media attention and rebuilt most of their toolset. […] This campaign also shows that APT threat actors going dark for several years does not mean they have stopped spying,” ESET concludes.