Threat actors with ties to Pakistan have been associated with a long-running malware campaign called Operation Celestial Force since at least 2018.
According to Cisco Talos, the ongoing activity involves the use of an Android malware named GravityRAT and a Windows-based malware loader called HeavyLift. These are managed using another tool known as GravityAdmin.
The cybersecurity firm attributed the intrusion to an adversary it tracks as Cosmic Leopard (also known as SpaceCobra), which it noted shares some tactical similarities with Transparent Tribe.
“Operation Celestial Force has been active since at least 2018 and continues to operate today, increasingly utilizing an expanding and evolving malware suite. This indicates that the operation has likely achieved significant success targeting users in the Indian subcontinent,” said security researchers Asheer Malhotra and Vitor Ventura in a technical report shared with The Hacker News.
GravityRAT first emerged in 2018 as a Windows malware targeting Indian entities through spear-phishing emails. It featured a constantly evolving set of capabilities to extract sensitive information from compromised systems. Since then, the malware has been adapted to work on Android and macOS, making it a multi-platform tool.
Recent findings from Meta and ESET last year revealed the ongoing use of the Android version of GravityRAT to target military personnel in India and members of the Pakistan Air Force. The malware was disguised as cloud storage, entertainment, and chat apps.
Cisco Talos’ findings consolidate these disparate yet related activities under a common umbrella, driven by evidence indicating the threat actor’s use of GravityAdmin to orchestrate these attacks.
Cosmic Leopard has predominantly used spear-phishing and social engineering to build trust with prospective targets. Once trust is established, they send a link to a malicious site that instructs the target to download a seemingly innocuous program, which then deploys GravityRAT or HeavyLift, depending on the operating system.
GravityRAT is reported to have been in use since 2016. GravityAdmin, a binary used to control infected systems, has been active since at least August 2021, facilitating connections with the command-and-control (C2) servers of GravityRAT and HeavyLift.
“GravityAdmin consists of multiple built-in user interfaces (UIs) that correspond to specific, codenamed campaigns operated by malicious actors,” the researchers noted. “For example, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ are names assigned to all Android-based GravityRAT infections, while ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ refer to attacks deploying HeavyLift.”
The newly discovered component of the threat actor’s arsenal is HeavyLift, an Electron-based malware loader family distributed via malicious installers targeting the Windows operating system. It shares similarities with GravityRAT’s Electron versions previously documented by Kaspersky in 2020.
Once launched, the malware can gather and export system metadata to a hard-coded C2 server and periodically polls the server for any new payloads to execute on the system. Additionally, it is designed to perform similar functions on macOS.
“This multi-year operation has continuously targeted Indian entities and individuals likely belonging to defense, government, and related technology sectors,” the researchers said.
Source: TheHackerNews
