Pierluigi Paganini October 19, 2020

Researchers spotted new variants of the Windows GravityRAT spyware that now can also infect Android and macOS devices.

Researchers from Kaspersky Lab have spotted new variants of the GravityRAT malware that now can be also used to infect Android and macOS devices.

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

“Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years [since 2015] while it continues to be developed.” reads an analysis published by Cisco Talos that spotted the malware back in 2017 when it was used by an APT group targeting India.

The sample analyzed by Kaspersky last year is able to infect macOS and Android devices, unlike past variants that were focused on Windows.

Crooks also started using digital signatures to make the apps look more legitimate.

The malware researchers found the new Android GravityRAT sample in 2019, on VirusTotal. The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server (nortonupdates[.]online). The C&C server was also associated with other two malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

• search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
• get a list of running processes
• intercept keystrokes
• take screenshots
• execute arbitrary shell commands
• record audio (not implemented in this version)
• scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

The researchers reported that the malware was employed in approximately 100 successful attacks between 2015 and 2018. The list of targets includes employees at defense, police, and other departments and organizations.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation, the attackers contacted the victims through a fake Facebook account. The attackers likely sent to the victims download links.

“It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps.” concludes Kaspersky.

“The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate.”

Pierluigi Paganini

(SecurityAffairs – hacking, GravityRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]