The GravityRAT spyware has now become active targeting multiple OS platforms. Read on to know more…
GravityRAT operators are constantly working towards advancing this information stealing malware. Recently, Kaspersky researchers have witnessed another enhancement in the tool, allowing it to now target macOS and Android, in addition to existing Windows attacking capabilities, making it a multiplatform tool.
GravityRAT was first identified in 2018 and its developments were published by cybersecurity researchers. The spyware was used in targeted attacks against the Indian military services. As per Kaspersky data, the campaign has been active since at least 2015, mainly focusing on Windows operating systems. A couple of years ago, however, the situation changed, and the group added Android to the target list.
Observations
GravityRAT operators have not only extended their target OS and Android portfolio, they continue to invest in the trojan’s spying abilities. Researchers identified more than ten versions of GravityRAT malware with several additional malicious modules being distributed under the guise of legitimate applications. The malware authors, moreover, used digital signatures while signing their code to make their booby-trapped apps look legitimate.
The latest versions were detected while analyzing an Android spyware app named Travel Mate Pro that gets sent to a C&C server, also used by two other malicious apps Enigma and Titanium. In addition, researchers have discovered clones of legitimate apps, developed in .NET, Python, and Electron, aimed to download GravityRAT payloads from the C&C server and add a scheduled task on the infected device to gain persistence.
Analysis of the command and control (C&C) addresses used, revealed several additional malicious modules, also related to the actor behind GravityRAT, Kaspersky explained in a report. Overall, more than 10 versions of GravityRAT were found that were being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans or media players.
Recent Attacks
Recently, many hackers were observed following diverse approaches to modify trojans with additional functionality to gain more profits. In October, SolarSys trojan was seen adding fileless attack protection functions to target financial institutions, such as Banco do Nordeste, Banco Mercantil, CrediSIS, Safra, and other banks in Brazil. In the same month, several threat actors were observed enhancing the Cerberus malware from a mobile-banking trojan to a network access tool to attempt corporate network access in the future.
A Brief Conclusion
Cybercriminals are not only focused on developing new malware but actively developing proven ones, in an attempt to be more successful. There are several deadly trojans such as Emotet and Trickbot that have turned into weapons of mass cyber destruction with continuous modification and upgrades over a long period of time. Regular monitoring and tracking of such malware have become an important measure to keep a check on any future disaster.