Risk actors with ties to Pakistan have been linked to a long-running malware marketing campaign dubbed Operation Celestial Drive since no less than 2018.
The exercise, nonetheless ongoing, entails using an Android malware referred to as GravityRAT and a Home windows-based malware loader codenamed HeavyLift, based on Cisco Talos, that are administered utilizing one other standalone device known as GravityAdmin.
The cybersecurity attributed the intrusion to an adversary it tracks beneath the moniker Cosmic Leopard (aka SpaceCobra), which it mentioned reveals some stage of tactical overlap with Clear Tribe.
“Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent,” safety researchers Asheer Malhotra and Vitor Ventura mentioned in a technical report shared with The Hacker Information.
GravityRAT first got here to mild in 2018 as a Home windows malware focusing on Indian entities by way of spear-phishing emails, boasting of an ever-evolving set of options to reap delicate info from compromised hosts. Since then, the malware has been ported to work on Android and macOS working techniques, turning it right into a multi-platform device.
Subsequent findings from Meta and ESET final yr uncovered continued use of the Android model of GravityRAT to focus on navy personnel in India and among the many Pakistan Air Drive by masquerading it as cloud storage, leisure, and chat apps.
Cisco Talos’ findings carry all these disparate-but-related actions beneath a standard umbrella, pushed by proof that factors to the menace actor’s use of GravityAdmin to orchestrate these assaults.
Cosmic Leopard has been predominantly noticed using spear-phishing and social engineering to determine belief with potential targets, earlier than sending them a hyperlink to a malicious web site that instructs them to obtain a seemingly innocuous program that drops GravityRAT or HeavyLift relying on the working system used.
GravityRAT is claimed to have been put to make use of as early as 2016. GravityAdmin, however, is a binary used to commandeer contaminated techniques since no less than August 2021 by establishing connections with GravityRAT and HeavyLift’s command-and-control (C2) servers.
“GravityAdmin consists of multiple inbuilt User Interfaces (UIs) that correspond to specific, codenamed, campaigns being operated by malicious operators,” the researchers famous. “For example, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO‘ are names given to all Android-based GravityRAT infections whereas ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ are names for attacks deploying HeavyLift.”
The newly found part of the menace actor’s arsenal is HeavyLift, an Electron-based malware loader household distributed by way of malicious installers focusing on the Home windows working system. It additionally is similar with GravityRAT’s Electron variations documented beforehand by Kaspersky in 2020.
The malware, as soon as launched, is able to gathering and exporting system metadata to a hard-coded C2 server, following it periodically polls the server for any new payloads to be executed on the system. What’s extra, it is designed to carry out related features on macOS as properly.
“This multi-year operation continuously targeted Indian entities and individuals likely belonging to defense, government, and related technology spaces,” the researchers mentioned.
