GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.
The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.
The malware researchers found the new Android GravityRAT sample in 2019.The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.
The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server.The C&C server was also associated with other two malicious apps targeting the Windows and macOS platforms.
The spyware is able to get information about the system and support multiple features, including:
- search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
- get a list of running processes
- intercept keystrokes
- take screenshots
- execute arbitrary shell commands
- scan ports
The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.
The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.
Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation an proceed to contaminate.
What peculiar about this Gravity RAT , not only infects Windows, now with Android , IOS devices too