Threat Research

Revealing DNS Insights on Operation Celestial Force

CircleID

Cosmic Leopard’s Operation Celestial Force uses GravityRAT (Android) and HeavyLift (Windows) to target networks. A DNS deep dive by WhoisXML API expands IoCs to include domains, IPs, and emails connected to the campaign. #CosmicLeopard #GravityRAT #HeavyLift #OperationCelestialForce #CiscoTalos #WhoisXMLAPI #DNS #IoCs

Keypoints

  • Cosmic Leopard’s Celestial Force relies on GravityRAT (Android) and HeavyLift (Windows) as core infection/loading components.
  • Cisco Talos identified 19 IoCs (domains) associated with the operation.
  • DNS-focused analysis found 3 email-connected domains, 15 malicious IPs, 35 string-connected domains, and 3,927 brand-containing domains (9 of which tied to threats).
  • Newly registered domains (NRDs) appear to be preferred, with IoCs created in 2020, 2023, and 2024.
  • Registrant-country patterns show Bahamas and Saint Kitts and Nevis as top contributors, with some IoCs from the U.S. and 11 with unknown registrant countries.
  • WHOIS history and DNS investigations yielded 33 email addresses (1 public) and additional artifacts; full findings are available in the referenced report.

MITRE Techniques

  • [T1071.001] Initial Access – Utilized newly registered domains (NRDs) to facilitate initial access to target networks. ‘Utilized newly registered domains (NRDs) to facilitate initial access to target networks.’
  • [T1071] Command and Control – Employed GravityRAT and HeavyLift malware for command and control operations. ‘Employed GravityRAT and HeavyLift malware for command and control operations.’
  • [T1115] Collection – Collected data from compromised networks using various malware tools. ‘Collected data from compromised networks using various malware tools.’
  • [T1041] Exfiltration – Potentially exfiltrated data through the use of command and control channels established by the malware. ‘Potentially exfiltrated data through the use of command and control channels established by the malware.’
  • [T1592] Reconnaissance – Conducted WHOIS lookups and DNS queries to gather information on potential targets. ‘Conducted WHOIS lookups and DNS queries to gather information on potential targets.’

Indicators of Compromise

  • [Domain] IoCs related to Celestial Force – 19 domains identified; includes 3 email-connected domains, 35 string-connected domains, and 3,927 brand-containing domains (9 associated with threats)
  • [IP] IoCs – 15 IP addresses identified, all malicious
  • [Email] IoCs – 33 email addresses discovered (1 public)

Read more: https://circleid.com/posts/20240724-uncovering-dns-details-on-operation-celestial-force

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint