Monday, July 22, 2024

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage campaign named Operation Celestial Force, targeting Indian entities.

Since 2018, they have used GravityRAT malware, initially for Windows and later for Android, which has been deployed through malicious documents and social engineering

In 2019, they expanded their toolkit with HeavyLift, a malware loader distributed via fake installers, where each campaign within the operation is managed by custom “GravityAdmin” panels, highlighting the need for user education on cyber hygiene and implementing defense-in-depth security models. 

 Malicious drop site delivering HeavyLift. 

Operation Celestial Force, a cyberespionage campaign targeting Indian entities, uses two main infection vectors: spearphishing emails with malicious documents and social engineering on social media to trick targets into downloading malware.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The malware suite includes GravityRAT, a remote-access Trojan for Windows and Android, and HeavyLift, a Windows malware loader.

The operators manage these tools with a multi-paneled administrative interface called GravityAdmin. 

Operation Celestial Force’s infection chains

GravityAdmin is a malware framework used to manage various malicious campaigns. The panel binary authenticates users with a server and retrieves a token to communicate with campaign-specific C2 servers. 

Different campaigns target different platforms (Windows and Android) and deploy different malware families (GravityRAT and HeavyLift).

There are infrastructure overlaps between campaigns, such as sharing malicious domains to host payloads or maintaining infected machine lists. 

 Login screen for GravityAdmin titled “Bits Before Bullets.” 

GravityRAT, a multi-platform remote access trojan, first targeted Windows machines but has since expanded to Android devices, which are likely used by Pakistani actors against Indian targets and spread through fake app websites and social media. 

New variants steal user data (SMS, call logs, files), device information (IMEI, location), and even associated email addresses.

The malware communicates with hidden command-and-control servers and can wipe data on infected devices. 

 The group uses Cloudflare service to hide the true location of their C2 servers. 

HeavyLift, an Electron-based malware loader, is disguised as an installer and deployed through social engineering, which communicates with C2 servers to steal system information (including username, MAC address, and OS version) and download malicious payloads. 

These payloads are executed persistently on the compromised system using crontab for macOS and scheduled tasks for Windows. The malware also implements anti-analysis techniques to evade detection in virtual environments.  

The provided Indicators of Compromise (IOCs) by Cisco Talos are hashes of malicious files, domains, and URLs that are associated with Android malware, including HeavyLift, GravityRAT Android, and GravityAdmin. 

The URLs contain suspicious parameters and may be used to exploit vulnerabilities on Android devices, and by checking these IOCs against files, network traffic, and URLs, security researchers can identify potential infections.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles