Friday, October 11, 2024
HomeAndroidOperation Celestial Force Employing Android And Windows Malware To Attack Indian Users

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

Published on

Malware protection

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage campaign named Operation Celestial Force, targeting Indian entities.

Since 2018, they have used GravityRAT malware, initially for Windows and later for Android, which has been deployed through malicious documents and social engineering

In 2019, they expanded their toolkit with HeavyLift, a malware loader distributed via fake installers, where each campaign within the operation is managed by custom “GravityAdmin” panels, highlighting the need for user education on cyber hygiene and implementing defense-in-depth security models. 

- Advertisement - SIEM as a Service
 Malicious drop site delivering HeavyLift. 

Operation Celestial Force, a cyberespionage campaign targeting Indian entities, uses two main infection vectors: spearphishing emails with malicious documents and social engineering on social media to trick targets into downloading malware.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The malware suite includes GravityRAT, a remote-access Trojan for Windows and Android, and HeavyLift, a Windows malware loader.

The operators manage these tools with a multi-paneled administrative interface called GravityAdmin. 

Operation Celestial Force’s infection chains

GravityAdmin is a malware framework used to manage various malicious campaigns. The panel binary authenticates users with a server and retrieves a token to communicate with campaign-specific C2 servers. 

Different campaigns target different platforms (Windows and Android) and deploy different malware families (GravityRAT and HeavyLift).

There are infrastructure overlaps between campaigns, such as sharing malicious domains to host payloads or maintaining infected machine lists. 

 Login screen for GravityAdmin titled “Bits Before Bullets.” 

GravityRAT, a multi-platform remote access trojan, first targeted Windows machines but has since expanded to Android devices, which are likely used by Pakistani actors against Indian targets and spread through fake app websites and social media. 

New variants steal user data (SMS, call logs, files), device information (IMEI, location), and even associated email addresses.

The malware communicates with hidden command-and-control servers and can wipe data on infected devices. 

 The group uses Cloudflare service to hide the true location of their C2 servers. 

HeavyLift, an Electron-based malware loader, is disguised as an installer and deployed through social engineering, which communicates with C2 servers to steal system information (including username, MAC address, and OS version) and download malicious payloads. 

These payloads are executed persistently on the compromised system using crontab for macOS and scheduled tasks for Windows. The malware also implements anti-analysis techniques to evade detection in virtual environments.  

The provided Indicators of Compromise (IOCs) by Cisco Talos are hashes of malicious files, domains, and URLs that are associated with Android malware, including HeavyLift, GravityRAT Android, and GravityAdmin. 

The URLs contain suspicious parameters and may be used to exploit vulnerabilities on Android devices, and by checking these IOCs against files, network traffic, and URLs, security researchers can identify potential infections.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...