Operation Ghost: The Dukes aren’t back – they never left

ESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new malware families

The Dukes (aka APT29 and Cozy Bear) have been in the spotlight after their suspected involvement in the breach of the Democratic National Committee in the run-up to the 2016 US elections. Since then, except for a one-off, suspected comeback in November 2018, with a phishing campaign targeting several US-based organizations, no activity has been confidently attributed to the Dukes. This left us thinking that the group had stopped its activities.

This held true until recent months, when we uncovered three new malware families that we attribute to the Dukes – PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest observed sample being deployed in June 2019. This means the Dukes have been quite active since 2016, developing new implants and compromising high-value targets. We call these newly uncovered Dukes activities, collectively, Operation Ghost.

We believe Operation Ghost started in 2013 and it is still ongoing as of this writing. Our research shows that the Ministries of Foreign Affairs in at least three different countries in Europe are affected by this campaign. We have also discovered an infiltration by the Dukes at the Washington, DC embassy of a European Union country.

One of the first public traces of this campaign is to be found on Reddit in July 2014. Figure 1 shows a message posted by the attackers. The strange string using an unusual character set is the encoded URL of a C&C server used by PolyglotDuke.

Figure 1. Reddit post containing an encoded Command & Control URL

Figure 2 presents the timeline of Operation Ghost. As it is based on ESET telemetry, it might be only a partial view of a broader campaign.

Figure 2. Timeline of Operation Ghost

On one hand, we noticed numerous similarities in the tactics of this campaign to those from previously documented ones, such as the use of:

  • Twitter (and other social websites such as Reddit) to host C&C URLs
  • steganography in images to hide payloads or C&C communications
  • Windows Management Instrumentation (WMI) for persistence

We also noticed important similarities in the targeting:

  • all the known targets are Ministries of Foreign Affairs.
  • known targeted organizations were previously compromised by other Dukes malware such as CozyDuke, OnionDuke or MiniDuke.
  • on some machines compromised with PolyglotDuke and MiniDuke, we noticed that CozyDuke was installed only a few months before.

However, an attribution based only on the presence of known Dukes tools on the same machines should be taken with a grain of salt. We also found two other APT threat actors – Turla and Sednit – on some of the same computers.

On the other hand, we found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.

PolyglotDuke (SHA-1: D09C4E7B641F8CB7CC86190FD9A778C6955FEA28) uses a custom encryption algorithm to decrypt the strings used by the malware. We found functionally equivalent code in an OnionDuke sample (SHA-1: A75995F94854DEA8799650A2F4A97980B71199D2) that was documented by F-Secure in 2014. It is interesting to note that the value used to seed the srand function is the compilation timestamp of the executable. For instance, 0x5289f207 corresponds to Mon 18 Nov 2013 10:55:03 UTC.

The IDA screenshots in Figure 3 show the two similar functions.

Figure 3. Comparison of a custom string encryption function found in PolyglotDuke (on the left) and in OnionDuke (on the right) samples from 2013

Further, recent samples of the MiniDuke backdoor bear similarities with samples documented more than five years ago. Figure 4 is the comparison of a function in a MiniDuke backdoor listed by Kaspersky in 2014 (SHA-1: 86EC70C27E5346700714DBAE2F10E168A08210E4) and a MiniDuke backdoor (SHA-1: B05CABA461000C6EBD8B237F318577E9BCCD6047) compiled in August 2018.

Figure 4. Comparison of the same function in MiniDuke from 2014 (on the top) and in MiniDuke from 2018 (on the bottom)

Given the numerous similarities between other known Dukes campaigns and Operation Ghost, especially the strong code similarities, and the overlap in time with previous campaigns, we assess with high confidence that this operation is run by the Dukes.

In Operation Ghost, the Dukes have used a limited number of tools, but they have relied on numerous interesting tactics to avoid detection.

First, they are very persistent. They steal credentials and use them systematically to move laterally on the network. We have seen them using administrative credentials to compromise or re-compromise machines on the same local network. Thus, when responding to a Dukes compromise, it is important to make sure to remove every implant in a short period of time. Otherwise, the attackers will use any remaining implant to compromise the cleaned systems again.

Second, they have a sophisticated malware platform divided into four stages:

  • PolyglotDuke, which uses Twitter or other websites such as Reddit and Imgur to get its C&C URL. It also relies on steganography in images for its C&C communication.
  • RegDuke, a recovery first stage, which uses Dropbox as its C&C server. The main payload is encrypted on disk and the encryption key is stored in the Windows registry. It also relies on steganography as above.
  • MiniDuke backdoor, the second stage. This simple backdoor is written in assembly. It is very similar to older MiniDuke backdoors.
  • FatDuke, the third stage. This sophisticated backdoor implements a lot of functionalities and has a very flexible configuration. Its code is also well obfuscated using many opaque predicates. They re-compile it and modify the obfuscation frequently to bypass security product detections.

Figure 5 is a summary of the malware platform of Operation Ghost.

Figure 5. Summary of Operation Ghost malware platform

Third, we also noticed that the operators avoid using the same C&C network infrastructure between different victim organizations. This kind of compartmentalization is generally only seen by the most meticulous attackers. It prevents the entire operation from being burned when a single victim discovers the infection and shares the related network IoCs with the security community.

Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying. The Dukes were able to fly under the radar for many years while compromising high-value targets, as before.

A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper and on GitHub.

For a detailed analysis of the backdoor, refer to our white paper. For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.

17 Oct 2019 – 11:30AM

Latest Posts