Menace actors with ties to Pakistan have been linked to a long-running malware marketing campaign dubbed Operation Celestial Power since at the least 2018.
The exercise, nonetheless ongoing, entails the usage of an Android malware known as GravityRAT and a Home windows-based malware loader codenamed HeavyLift, in accordance with Cisco Talos, that are administered utilizing one other standalone software known as GravityAdmin.
The cybersecurity attributed the intrusion to an adversary it tracks below the moniker Cosmic Leopard (aka SpaceCobra), which it mentioned reveals some stage of tactical overlap with Clear Tribe.
“Operation Celestial Power has been energetic since at the least 2018 and continues to function in the present day — more and more using an increasing and evolving malware suite — indicating that the operation has possible seen a excessive diploma of success focusing on customers within the Indian subcontinent,” security researchers Asheer Malhotra and Vitor Ventura mentioned in a technical report shared with The Hacker Information.
GravityRAT first got here to gentle in 2018 as a Home windows malware focusing on Indian entities through spear-phishing emails, boasting of an ever-evolving set of options to reap delicate data from compromised hosts. Since then, the malware has been ported to work on Android and macOS working programs, turning it right into a multi-platform software.
Subsequent findings from Meta and ESET final yr uncovered continued use of the Android model of GravityRAT to focus on navy personnel in India and among the many Pakistan Air Power by masquerading it as cloud storage, leisure, and chat apps.
Cisco Talos’ findings convey all these disparate-but-related actions below a typical umbrella, pushed by proof that factors to the risk actor’s use of GravityAdmin to orchestrate these assaults.
Cosmic Leopard has been predominantly noticed using spear-phishing and social engineering to determine belief with potential targets, earlier than sending them a hyperlink to a malicious web site that instructs them to obtain a seemingly innocuous program that drops GravityRAT or HeavyLift relying on the working system used.
GravityRAT is alleged to have been put to make use of as early as 2016. GravityAdmin, then again, is a binary used to commandeer contaminated programs since at the least August 2021 by establishing connections with GravityRAT and HeavyLift’s command-and-control (C2) servers.
“GravityAdmin consists of a number of inbuilt Consumer Interfaces (UIs) that correspond to particular, codenamed, campaigns being operated by malicious operators,” the researchers famous. “For instance, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ are names given to all Android-based GravityRAT infections whereas ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ are names for assaults deploying HeavyLift.”
The newly found part of the risk actor’s arsenal is HeavyLift, an Electron-based malware loader household distributed through malicious installers focusing on the Home windows working system. It additionally is analogous with GravityRAT’s Electron variations documented beforehand by Kaspersky in 2020.
The malware, as soon as launched, is able to gathering and exporting system metadata to a hard-coded C2 server, following it periodically polls the server for any new payloads to be executed on the system. What’s extra, it is designed to carry out comparable features on macOS as effectively.
“This multi-year operation constantly focused Indian entities and people possible belonging to protection, authorities, and associated know-how areas,” the researchers mentioned.
