GravityRAT, a malware strain known for checking the CPU temperature of Windows computers to detect virtual machines or sandboxes, is now multi-platform spyware as it can now also be used to infect Android and macOS devices.
The GravityRAT Remote Access Trojan (RAT) has been under active development by what looks like Pakistani hacker groups since at least 2015 and has been deployed in targeted attacks against Indian military organizations.
New versions infect Android and macOS devices
While the malware authors previously focused their efforts on targeting Windows machines, a sample discovered by Kaspersky researchers last year shows that they are now adding macOS and Android support.
They are now also signing their code using digital signatures to make their booby-trapped apps look legitimate.
The updated RAT sample was detected while analyzing an Android spyware app (i.e., Travel Mate Pro) that steals contacts, emails, and documents which get sent to the nortonupdates[.]online command-and-control server also used by two other malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.
Spyware malware dropped by these malicious apps on infected devices runs multiplatform code and it allows attackers to send commands to:
- get information about the system
- search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
- get a list of running processes
- intercept keystrokes
- take screenshots
- execute arbitrary shell commands
- record audio (not implemented in this version)
- scan ports
“Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT,” researchers at Kaspersky found.
“Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players.
“Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android.”
Delivered via links to booby-trapped apps
Kaspersky has also found applications developed in .NET, Python, and Electron, often as clones of legitimate apps, that will download GravityRAT payloads from the C&C server and add a scheduled task on the infected device to gain persistence.
Roughly 100 successful attacks using this RAT were detected between 2015 and 2018, with defense and police employees getting infected after being tricked via Facebook to install a “secure messenger” according to reports.
While the infection vector in the case of these updated samples remains unknown, Kaspersky says that targets are probably being sent download links to the malicious apps just as it happened in the past.
“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities,” Kaspersky security expert Tatyana Shishkova said.
“Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible.”