Related Families: GravityRAT, HeavyLift, GravityAdmin
Verticals Targeted: Defense, Government, Technology
Executive Summary
Cosmic Leopard was observed targeting Windows, MacOS, and Android devices in a series of ongoing campaigns dubbed Operation Celestial Force. The threat actors used GravityRAT and HeavyLift to target entities in India.
Key Takeaways
- Cosmic Leopard was observed targeting Windows, MacOS, and Android devices in a series of ongoing campaigns dubbed Operation Celestial Force.
- The threat actors used GravityRAT and HeavyLift to target entities in India.
- GravityRAT is a multi-platform RAT.
- HeavyLift is an Electron based malware loader that can target both Windows and MacOS systems.
- The threat actors use GravityAdmin, a panel binary, to administer infected systems.
Operation Celestial Force
Cosmic Leopard was observed targeting Windows, MacOS, and Android devices in a series of campaigns dubbed Operation Celestial Force. The campaign, which appears to still be active, began as early as 2018 and targeted entities in India using two malware families, GravityRAT and HeavyLift. The threat actors use the standalone tool GravityAdmin to carry out malicious activity on devices infected with either GravityRAT or HeavyLift. The threat actors use social engineering and spearphishing to lure targets into downloading the malware. Cisco Talos reported on this activity.
What is GravityRAT?
GravityRAT is a multi-platform RAT. It was first reported on in 2018 as a Windows based RAT but may have been in use as early as 2016. In 2019, GravityRAT was ported to Android. Cisco Talos noted GravityRAT has evolved over time. Pakistan based threat actor groups are the only threat actors known to use GravityRAT, and it has exclusively been used on targets in India. Recent GravityRAT variants are distributed via malicious websites masquerading as downloads for legitimate Android applications.
GravityRAT has multiple capabilities, including the following:
- Sending location, device, and network information to the C2.
- Reading text messages and uploading them to the C2.
- Reading and uploading specific file formats to the C2.
- Reading and uploading call logs to the C2.
- Obtaining IMEI information.
- Deleting contacts, call logs, and files associated with the malware.
What is HeavyLift?
HeavyLift is an Electron based malware loader that can target both Windows and MacOS systems. It consists of JavaScript code that can communicate with and receive commands from the C2. This stage one malware downloads and installs other implants. Cisco Talos noted similarities between HeavyLift and previously observed Electron versions of GravityRAT.
The malware masquerades as an installer for a legitimate application. When executed, it installs both a decoy application and HeavyLift, the malicious desktop application. HeavyLift is capable of infecting both Windows and MacOS environments. On both Windows and MacOS devices, HeavyLift obtains system information and sends it to the C2. It then contacts the C2 to poll for follow-on payloads. On Windows machines, the payloads are received as an EXE. On MacOS, the payloads arrive as a ZIP file, which is then extracted.
What is GravityAdmin?
Cisco Talos describes GravityAdmin as a panel binary used to administer infected systems. The threat actors have used GravityAdmin since at least 2021 to interact with devices infected by either GravityRAT or HeavyLift.
Who is Cosmic Leopard?
The threat actor group Cosmic Leopard, also known as SpaceCobra, is thought to be of Pakistan nexus. According to Cisco Talos, the group appears to share tactical overlap with Mythic Leopard, also known as Transparent Tribe.
IOCs
PolySwarm has multiple samples associated with this activity.
1382997d3a5bb9bdbb9d41bb84c916784591c7cdae68305c3177f327d8a63b71 (GravityRAT - Android)
C00cedd6579e01187cd256736b8a506c168c6770776475e8327631df2181fae2 (GravityRAT - Android)
You can use the following CLI command to search for all Cosmic Leopard samples in our portal:
$ polyswarm link list -t CosmicLeopard
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.