At least since 2018, perpetrators connected to Pakistan are behind a prolonged malware campaign named Operation Celestial Force.
According to Cisco Talos, the activity, still ongoing, involves the use of an Android malware called GravityRAT and a Windows-based malware loader codenamed HeavyLift, which are administered using another standalone tool referred to as GravityAdmin.
The intrusion was attributed to an adversary tracked under the moniker Cosmic Leopard (aka SpaceCobra) by the cybersecurity, which was said to exhibit some level of tactical overlap with Transparent Tribe.
“Operation Celestial Force has been dynamic since no less than 2018 and keeps on working today — progressively using a growing and developing malware suite — showing that the activity has likely seen a serious level of achievement focusing on clients in the Indian subcontinent,” security specialists Asheer Malhotra and Vitor Ventura said in a technical report.
GravityRAT previously became exposed in 2018 as a Windows malware targeting on Indian substances through stick phishing emails, bragging a steadily developing arrangement of highlights to gather delicate data from compromised hosts. From that point forward, the malware has been ported to deal with Android and macOS operating systems, transforming it into a multi-platform tool.
“Subsequent findings last year uncovered continued use of the Android version of GravityRAT to target military personnel in India and among the Pakistan Air Force by masquerading it as cloud storage, entertainment, and chat apps, as revealed by Meta and ESET.”
Cisco Talos’ discoveries bring every one of these dissimilar yet related exercises under a common umbrella, driven by evidence that focuses to the threat actor’s utilization of GravityAdmin to organize these attacks.
The predominant observation is that spear-phishing and social engineering are predominantly employed by Cosmic Leopard to establish trust with prospective targets, before being sent a link to a malicious site that instructs them to download a seemingly innocuous program that drops GravityRAT or HeavyLift depending on the operating system used.
It is said that GravityRAT has been put to use as early as 2016. On the other hand, GravityAdmin is a binary that has been used to commandeer infected systems since at least August 2021 by establishing connections with GravityRAT and HeavyLift’s command-and-control (C2) servers.
“GravityAdmin comprises of numerous inbuilt User Interfaces (UIs) that compare to explicit, codenamed, crusades being operated by malicious operators,” the specialists noted. “For instance, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ are names given to all Android-based GravityRAT contaminations though ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ are names for attacks sending HeavyLift.”
HeavyLift, an Electron-based malware loader family, is the newly discovered component of the threat actor’s arsenal, which is distributed via malicious installers targeting the Windows operating system. It additionally has similarities with GravityRAT’s Electron versions recorded beforehand by Kaspersky in 2020.
The malware, once launched, is equipped for social event and sending out system metadata to a hard-coded C2 server, following it occasionally surveys the server for any new payloads to be executed on the system. In addition, carrying out comparable roles on macOS also is planned.
The researchers said, “Indian elements and people probably belonging to defence, government, and related technology spaces were persistently targeted by this long term activity.”