Skip to content

Cybercrooks target Indian Android, Windows, Mac devices with trojan

  • by
  • 4 min read

Pakistan-based threat actor Cosmic Leopard has been targeting Indian government entities, including defence and technology, since 2018 in a campaign dubbed ‘Operation Celestial Force.’ The operation involves deploying two main malware components: GravityRAT, an Android-based malware, and HeavyLift, a Windows and macOS-based malware loader.

Researchers discovered GravityRAT in 2018. It is a remote access trojan (RAT) targeting Indian entities. Over time, it has expanded its capabilities to include Android-based versions, allowing for a broader range of infections targeting mobile devices.

On the other hand, HeavyLift is a malware loader primarily designed for Windows systems. It is distributed through malicious installers and controlled via command and control (C2) servers. It complements GravityRAT and serves as a gateway for Cosmic Leopard to deploy a variety of malicious tools and capacities, expanding its control over infected devices.

Malicious website dropping HeavyLift. | Source: Cisco Talos

“The tactics, techniques, tooling and victimology of Cosmic Leopard contain some overlaps with those of Transparent Tribe, another suspected Pakistani APT group, which has a history of targeting high-value individuals from the Indian subcontinent,” researchers noted. “Adversaries like Cosmic Leopard may use low-sophistication techniques such as social engineering and spear phishing, but will aggressively target potential victims with various TTPs.”

Central to Operation Celestial Force is a tool known as GravityAdmin, which serves as the command centre for administering and managing infected systems. This tool, utilised by threat actors since at least 2021, enables operators to connect to GravityRAT’s and HeavyLift’s C2 servers, execute malicious actions, and oversee multiple campaigns simultaneously. Each campaign within GravityAdmin is codenamed and tailored for specific infection mechanisms, platforms, and targets.

“Each of the codenamed campaigns from the Panel binaries consist of their own infection mechanisms. For example, “FOXTROT,” “CLOUDINFINITY” and “CHATICO” are names given to all Android-based GravityRAT infections whereas “CRAFTWITHME,” “SEXYBER” and “CVSCOUT” are names for attacks deploying HeavyLift,” explained researchers.

The campaign employs various infection vectors, including spear phishing and social engineering. Spear phishing involves sending targeted messages with malicious attachments, such as maldocs containing GravityRAT.

Operation Leopard attack chain explained. | Source: Cisco Talos

Meanwhile, researchers observed that Cosmic Leopard threat actors also use social engineering tactics a lot. This involves establishing trust with targets via social media and directing them to download malware-infected links.

Operation Celestial Force demonstrates high persistence, with Cosmic Leopard continuously evolving its tactics, techniques, and malware capabilities. Using multi-platform malware like GravityRAT, which targets both Windows and Android systems, allows for a border reach and increased effectiveness in compromising diverse devices.

The attack campaign’s longevity, spanning multiple years, indicates Cosmic Leopard’s sustained efforts to maintain access, gather intelligence, and potentially conduct espionage activities against high-value targets in India.

To mitigate the risk posed by Operation Celestial Force and similar cyber threats, researchers have advised organisations to leverage advanced endpoint protection solutions, email security gateways, web filtering technologies, and intrusion detection systems to detect, block and respond to malicious activities.

In May, it was reported that Pakistan cybercriminals from Transparent Tribe targeted Indian defence and aerospace. In April, reports came out that a sophisticated espionage campaign, dubbed eXotic Visit, targeted Android users in Pakistan and India.

In the News: Cybercriminals exploit Paris 2024 Olympics with phishing websites

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>