Recent reports reveal that cybersecurity experts have uncovered a long-standing malware operation named “Operation Celestial Force,” linked to threat actors associated with Pakistan. This campaign, active since at least 2018, employs sophisticated tools such as GravityRAT for Android and HeavyLift for Windows, coordinated by a tool called GravityAdmin.
The Malware Arsenal: GravityRAT and HeavyLift
GravityRAT, first identified in 2018 targeting Indian organizations via spear-phishing emails, has evolved into a versatile threat affecting Windows, Android, and macOS platforms. Designed to extract sensitive data, it has recently been used to target military personnel, including members of the Indian military and Pakistan Air Force, disguised as legitimate applications like cloud storage or entertainment apps.
HeavyLift is a newer addition to the attackers’ toolkit, similar in sophistication to GravityRAT. This Windows-based malware loader uses malicious installers to infiltrate systems, collect system metadata, and communicate with command-and-control (C2) servers to execute additional payloads. It also shows capability in macOS environments, indicating a broadened scope of attacks.
Cosmic Leopard and Tactics Used
Security researchers, including Cisco Talos, attribute these activities to a group known as Cosmic Leopard or SpaceCobra, linked to another known threat actor, Transparent Tribe. The group primarily uses spear-phishing and social engineering tactics to lure victims into downloading malicious payloads, which install GravityRAT or HeavyLift based on the victim’s operating system.
Operation Celestial Force – Evolution and Expansion
Since its inception, Operation Celestial Force has significantly expanded in both scale and sophistication. GravityAdmin, a critical component in managing infected systems, orchestrates various campaigns across different platforms. Campaigns such as ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ for Android targets, and ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ for HeavyLift deployments, highlight the attackers’ organized approach to cyber espionage.
Strategic Targets and Implications
Operation Celestial Force primarily targets entities within the defense, government, and technology sectors in India and potentially other regions of the Indian subcontinent. The persistent nature of these attacks underscores the threat actors’ determination and adaptability, continuously evolving their tactics to overcome security measures and exploit new vulnerabilities.
Conclusion
Operation Celestial Force represents a significant cybersecurity challenge, characterized by the continuous evolution and adaptation of sophisticated malware tools by threat actors. The use of GravityRAT and HeavyLift across multiple platforms, orchestrated through GravityAdmin, illustrates an organized effort to compromise sensitive systems and extract valuable information.
Awareness of such campaigns and proactive defence strategies are crucial in mitigating the impact of these threats on organizational and national security. This highlights the importance of robust cybersecurity practices to safeguard against sophisticated malware campaigns like Operation Celestial Force.
June 27,2024
Source: Tuxcare