Risk actors with ties to Pakistan have been linked to a long-running malware marketing campaign dubbed Operation Celestial Drive since not less than 2018.
The exercise, nonetheless ongoing, entails the usage of an Android malware referred to as GravityRAT and a Home windows-based malware loader codenamed HeavyLift, based on Cisco Talos, that are administered utilizing one other standalone software known as GravityAdmin.
The cybersecurity attributed the intrusion to an adversary it tracks below the moniker Cosmic Leopard (aka SpaceCobra), which it stated displays some stage of tactical overlap with Clear Tribe.
“Operation Celestial Drive has been lively since not less than 2018 and continues to function right this moment — more and more using an increasing and evolving malware suite — indicating that the operation has seemingly seen a excessive diploma of success concentrating on customers within the Indian subcontinent,” security researchers Asheer Malhotra and Vitor Ventura stated in a technical report shared with The Hacker Information.
GravityRAT first got here to mild in 2018 as a Home windows malware concentrating on Indian entities by way of spear-phishing emails, boasting of an ever-evolving set of options to reap delicate info from compromised hosts. Since then, the malware has been ported to work on Android and macOS working programs, turning it right into a multi-platform software.
Subsequent findings from Meta and ESET final 12 months uncovered continued use of the Android model of GravityRAT to focus on army personnel in India and among the many Pakistan Air Drive by masquerading it as cloud storage, leisure, and chat apps.
Cisco Talos’ findings carry all these disparate-but-related actions below a typical umbrella, pushed by proof that factors to the risk actor’s use of GravityAdmin to orchestrate these assaults.
Cosmic Leopard has been predominantly noticed using spear-phishing and social engineering to determine belief with potential targets, earlier than sending them a hyperlink to a malicious web site that instructs them to obtain a seemingly innocuous program that drops GravityRAT or HeavyLift relying on the working system used.
GravityRAT is claimed to have been put to make use of as early as 2016. GravityAdmin, alternatively, is a binary used to commandeer contaminated programs since not less than August 2021 by establishing connections with GravityRAT and HeavyLift’s command-and-control (C2) servers.
“GravityAdmin consists of a number of inbuilt Consumer Interfaces (UIs) that correspond to particular, codenamed, campaigns being operated by malicious operators,” the researchers famous. “For instance, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ are names given to all Android-based GravityRAT infections whereas ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ are names for assaults deploying HeavyLift.”
The newly found part of the risk actor’s arsenal is HeavyLift, an Electron-based malware loader household distributed by way of malicious installers concentrating on the Home windows working system. It additionally is similar with GravityRAT’s Electron variations documented beforehand by Kaspersky in 2020.
The malware, as soon as launched, is able to gathering and exporting system metadata to a hard-coded C2 server, following it periodically polls the server for any new payloads to be executed on the system. What’s extra, it is designed to carry out comparable features on macOS as nicely.
“This multi-year operation repeatedly focused Indian entities and people seemingly belonging to protection, authorities, and associated expertise areas,” the researchers stated.
