Friday, November 8, 2024
HomeAndroidOperation Celestial Force Employing Android And Windows Malware To Attack Indian Users

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

Published on

Malware protection

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage campaign named Operation Celestial Force, targeting Indian entities.

Since 2018, they have used GravityRAT malware, initially for Windows and later for Android, which has been deployed through malicious documents and social engineering

In 2019, they expanded their toolkit with HeavyLift, a malware loader distributed via fake installers, where each campaign within the operation is managed by custom “GravityAdmin” panels, highlighting the need for user education on cyber hygiene and implementing defense-in-depth security models. 

- Advertisement - SIEM as a Service
 Malicious drop site delivering HeavyLift. 

Operation Celestial Force, a cyberespionage campaign targeting Indian entities, uses two main infection vectors: spearphishing emails with malicious documents and social engineering on social media to trick targets into downloading malware.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The malware suite includes GravityRAT, a remote-access Trojan for Windows and Android, and HeavyLift, a Windows malware loader.

The operators manage these tools with a multi-paneled administrative interface called GravityAdmin. 

Operation Celestial Force’s infection chains

GravityAdmin is a malware framework used to manage various malicious campaigns. The panel binary authenticates users with a server and retrieves a token to communicate with campaign-specific C2 servers. 

Different campaigns target different platforms (Windows and Android) and deploy different malware families (GravityRAT and HeavyLift).

There are infrastructure overlaps between campaigns, such as sharing malicious domains to host payloads or maintaining infected machine lists. 

 Login screen for GravityAdmin titled “Bits Before Bullets.” 

GravityRAT, a multi-platform remote access trojan, first targeted Windows machines but has since expanded to Android devices, which are likely used by Pakistani actors against Indian targets and spread through fake app websites and social media. 

New variants steal user data (SMS, call logs, files), device information (IMEI, location), and even associated email addresses.

The malware communicates with hidden command-and-control servers and can wipe data on infected devices. 

 The group uses Cloudflare service to hide the true location of their C2 servers. 

HeavyLift, an Electron-based malware loader, is disguised as an installer and deployed through social engineering, which communicates with C2 servers to steal system information (including username, MAC address, and OS version) and download malicious payloads. 

These payloads are executed persistently on the compromised system using crontab for macOS and scheduled tasks for Windows. The malware also implements anti-analysis techniques to evade detection in virtual environments.  

The provided Indicators of Compromise (IOCs) by Cisco Talos are hashes of malicious files, domains, and URLs that are associated with Android malware, including HeavyLift, GravityRAT Android, and GravityAdmin. 

The URLs contain suspicious parameters and may be used to exploit vulnerabilities on Android devices, and by checking these IOCs against files, network traffic, and URLs, security researchers can identify potential infections.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...