Operation Celestial Force: Pakistani Long-running Malware

Wajahat Raja

June 26, 2024 - TuxCare expert team

Recent reports state that cybersecurity experts have uncovered a long-standing malware initiative known as Operation Celestial Force, linked to threat actors associated with Pakistan. This electron-based malware loader campaign, dating back to at least 2018, involves sophisticated tools like GravityRAT for Android and HeavyLift for Windows, alongside a coordinating tool called GravityAdmin.

The Malware Arsenal: GravityRAT and HeavyLift

GravityRAT, initially identified in 2018 targeting Indian organizations through spear-phishing emails, has since evolved into a versatile threat spanning Windows, Android, and macOS platforms.

This malware is designed to extract sensitive data from compromised systems. Recent reports from Meta and ESET have highlighted its usage in targeting military personnel, including those from the Indian military and Pakistan Air Force, often disguised as benign applications like cloud storage or entertainment apps.

On the other hand, HeavyLift is a newer addition to the attackers’ toolkit. This Windows-based malware loader, akin to GravityRAT in its sophistication, uses malicious installers to infiltrate systems.

Once activated, HeavyLift can collect system metadata and communicate with its command-and-control (C2) servers to receive and execute additional payloads. This malware also shows capability in macOS environments, indicating a broadened scope of attacks.

Cosmic Leopard and Tactics Used

Security researchers, including Cisco Talos, attribute these activities to a group identified as Cosmic Leopard or SpaceCobra, drawing parallels with another known threat actor, Transparent Tribe.

The group primarily relies on spear-phishing and social engineering tactics to lure victims into downloading malicious payloads. These payloads, delivered via links to seemingly harmless software, install GravityRAT or HeavyLift based on the victim’s operating system.

Operation Celestial Force – Evolution and Expansion

Since its inception, Operation Celestial Force has expanded significantly in both scale and sophistication. GravityAdmin, a critical component in managing infected systems, has been observed orchestrating various campaigns across different platforms. Each campaign, denoted by names like ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ for Android targets and ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ for HeavyLift deployments, demonstrates the attackers’ organized approach to cyber espionage.

Strategic Targets and Implications

The targets of Operation Celestial Force predominantly include entities within defense, government, and technology sectors in India and potentially other regions of the Indian subcontinent. The persistent nature of these attacks underscores the threat actors’ determination and the evolving nature of their tactics, adapting to security measures and leveraging new vulnerabilities as they emerge.

Conclusion

In conclusion, Operation Celestial Force represents a significant cybersecurity challenge, marked by the continuous evolution and adaptation of malware tools by threat actors with sophisticated operational capabilities.

The use of GravityRAT and HeavyLift across multiple platforms, orchestrated through GravityAdmin, illustrates a methodical and persistent effort to compromise sensitive systems and extract valuable information.

As cybersecurity measures continue to evolve, awareness of such campaigns and proactive defense strategies remain crucial in mitigating the impact of such threats on organizational and national security.

This overview highlights the critical importance of cyberthreat protection and staying vigilant against evolving spear phishing email security threats. It also underscores the necessity for robust cybersecurity practices to safeguard against sophisticated malware campaigns like Operation Celestial Force.

The sources for this piece include articles in The Hacker News and SC Media.

Summary