Operation Celestial Force (Trojan) – Malware

Overview

Operation Celestial Force represents a sophisticated and enduring cyber espionage campaign that has been active since at least 2018. This operation, meticulously detailed by Cisco Talos, leverages a complex array of malware to target Indian entities, particularly those in defense, government, and technology sectors. At the heart of this operation are two primary malware families: GravityRAT and HeavyLift. GravityRAT, an Android-based remote access trojan (RAT), has been used to compromise mobile devices, while HeavyLift, a Windows-based malware loader, facilitates the deployment of additional malicious payloads. The campaign is orchestrated through a custom tool known as GravityAdmin, which enables the attackers to manage multiple concurrent operations, each with its own set of codenames and administrative panels.

The campaign, attributed with high confidence to a Pakistani threat actor group named “Cosmic Leopard,” demonstrates a high level of sophistication and persistence. Cosmic Leopard’s tactics and techniques bear similarities to those of other Pakistani APT groups, such as Transparent Tribe, but are distinct enough to warrant separate classification. Over the years, Operation Celestial Force has evolved significantly, expanding from initial use of GravityRAT on Windows platforms to incorporating Android variants and the HeavyLift loader. This evolution reflects an adaptive strategy aimed at increasing the operation’s reach and effectiveness.

Targets

Public Administration
Individuals

How they operate

The campaign typically begins with Initial Access, primarily through highly targeted spear-phishing attacks. These phishing emails often contain malicious attachments or links designed to exploit user trust. Once a recipient interacts with the malicious content, the attackers gain a foothold within the target environment. This method of infiltration underscores the campaign’s reliance on social engineering to bypass initial defenses and initiate the attack chain.

Once inside the network, Operation Celestial Force employs various techniques for Execution and Persistence. The malware delivered through phishing emails usually requires user interaction, such as opening an attachment or clicking a link. Upon execution, the malware employs several strategies to maintain a persistent presence on the compromised system. Techniques such as Registry Run Keys or Startup Folder modifications ensure that the malware is reactivated upon system reboots, providing continuous access to the attackers. Additionally, the malware may leverage Obfuscated Files to evade detection by security solutions, making it harder for defenders to identify and neutralize the threat.

The Privilege Escalation phase involves exploiting vulnerabilities to gain elevated permissions on the compromised systems. This often includes the exploitation of known software vulnerabilities or misconfigurations that allow the malware to escalate its privileges and access more sensitive areas of the network. Following privilege escalation, the campaign may involve Credential Dumping to harvest user credentials and other sensitive information, further facilitating lateral movement within the network.

In the Discovery phase, the malware gathers detailed information about the target environment. This includes system configurations, network topology, and other critical data that informs the attackers’ next steps. Techniques such as System Information Discovery are used to map out the network and identify key systems and data sources.

Lateral movement is achieved through methods like Remote File Copy, allowing the malware to propagate across the network and reach additional systems. This movement is often accompanied by Data Staging, where collected data is aggregated in a central location before being exfiltrated. The Exfiltration phase employs various techniques, such as Exfiltration Over Command and Control Channels, to transfer stolen data out of the network, often using encrypted channels to avoid detection.

Throughout the campaign, Command and Control communications are maintained using Standard Application Layer Protocols like HTTP or HTTPS, which blend in with regular network traffic and further obscure the attackers’ activities. This sophisticated approach to command and control enables seamless interaction between the malware and its operators, ensuring that the campaign remains effective and elusive.

MITRE Tactics and Techniques

Initial Access:

Phishing (T1566): The campaign employs spear-phishing emails with malicious attachments or links to gain initial access to target systems.

Execution:

User Execution (T1203): Malicious files or links in phishing emails require user interaction to execute, such as opening a malicious attachment or clicking on a harmful link.

Persistence:

Registry Run Keys / Startup Folder (T1547): The malware may create or modify registry keys to ensure persistence across system reboots.

Privilege Escalation:

Exploitation for Privilege Escalation (T1068): Exploits vulnerabilities to gain higher privileges on a compromised system.

Defense Evasion:

Obfuscated Files or Information (T1027): The use of obfuscation techniques to hide the malware’s presence and activities.
Rootkit (T1014): Some variants may employ rootkit techniques to maintain stealth and avoid detection.

Credential Access:

Credential Dumping (T1003): Techniques to extract user credentials and other sensitive information from compromised systems.

Discovery:

System Information Discovery (T1082): The malware gathers information about the system environment and configuration to tailor its operations.

Lateral Movement:

Remote File Copy (T1105): Transferring files between systems to facilitate lateral movement and expand the scope of the attack.

Collection:

Data Staged (T1074): Staging collected data in a central location before exfiltration.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): Data is exfiltrated through the same channel used for command and control to avoid detection.

Command and Control:

Standard Application Layer Protocol (T1071): Using common protocols such as HTTP or HTTPS to communicate with command and control servers.

References

• Operation Celestial Force employs mobile and desktop malware to target Indian entities