Threat actors with ties to Pakistan have been linked to a long-running malware campaign dubbed Operation Celestial Force since at least 2018.
The activity, still ongoing, entails the use of an Android malware called GravityRAT and a Windows-based malware loader codenamed HeavyLift, according to Cisco Talos, which are administered using another standalone tool referred to as GravityAdmin.
The cybersecurity attributed the intrusion to an adversary it tracks under the moniker Cosmic Leopard (aka SpaceCobra), which it said exhibits some level of tactical overlap with Transparent Tribe.
“Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent,” security researchers Asheer Malhotra and Vitor Ventura said in a technical report shared with The Hacker News.
GravityRAT first came to light in 2018 as a Windows malware targeting Indian entities via spear-phishing emails, boasting of an ever-evolving set of features to harvest sensitive information from compromised hosts. Since then, the malware has been ported to work on Android and macOS operating systems, turning it into a multi-platform tool.
Subsequent findings from Meta and ESET last year uncovered continued use of the Android version of GravityRAT to target military personnel in India and among the Pakistan Air Force by masquerading it as cloud storage, entertainment, and chat apps.
Cisco Talos’ findings bring all these disparate-but-related activities under a common umbrella, driven by evidence that points to the threat actor’s use of GravityAdmin to orchestrate these attacks.
Cosmic Leopard has been predominantly observed employing spear-phishing and social engineering to establish trust with prospective targets, before sending them a link to a malicious site that instructs them to download a seemingly innocuous program that drops GravityRAT or HeavyLift depending on the operating system used.
GravityRAT is said to have been put to use as early as 2016. GravityAdmin, on the other hand, is a binary used to commandeer infected systems since at least August 2021 by establishing connections with GravityRAT and HeavyLift’s command-and-control (C2) servers.
“GravityAdmin consists of multiple inbuilt User Interfaces (UIs) that correspond to specific, codenamed, campaigns being operated by malicious operators,” the researchers noted. “For example, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ are names given to all Android-based GravityRAT infections whereas ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ are names for attacks deploying HeavyLift.”
The newly discovered component of the threat actor’s arsenal is HeavyLift, an Electron-based malware loader family distributed via malicious installers targeting the Windows operating system. It also has similarities with GravityRAT’s Electron versions documented previously by Kaspersky in 2020.
The malware, once launched, is capable of gathering and exporting system metadata to a hard-coded C2 server, following it periodically polls the server for any new payloads to be executed on the system. What’s more, it’s designed to perform similar functions on macOS as well.
“This multi-year operation continuously targeted Indian entities and individuals likely belonging to defense, government, and related technology spaces,” the researchers said.