The criminals behind GravityRAT spyware have rolled out new macOS and Android variants for the first time.
The GravityRAT remote access trojan has been around since at least 2015, according to researchers from Kaspersky, but it has mainly focused on Windows operating systems. The last piece of major development news came in 2018, when developers behind the malware made key changes to the RAT’s code in an attempt to decrease antivirus detection.
Recently though, Kaspersky researchers spotted updated GravityRAT code indicating an overhaul of the the malware. “Further investigation confirmed that the group behind the [GravityRAT] malware had invested effort into making it into a multiplatform tool…the campaign is still active,” according research published on Monday.
The malware is capable of retrieving device data, contact lists, email addresses, call logs and SMS messages and can exfiltrate various types of documents and files.
Following the RAT’s Breadcrumbs
On the mobile front, Kaspersky was tipped off that GravityRAT was back when researchers observed a piece of malicious code inserted in an Android travel application for Indian users.
After some code analysis, they were able to determine that the malware module was in fact a relative of GravityRAT. Then, researchers decided to look further, since the code “doesn’t look like a typical piece of Android spyware,” researchers said.
“Analysis of the command-and-control (C2) addresses the module used revealed several additional malicious modules, also related to the actor behind GravityRAT,” they explained.
Overall, the analysis turned up more than 10 new versions of GravityRAT, all distributed within trojanized applications – including those masquerading as secure file-sharing applications or media players. Used together, these modules represent a multiplatform code base that enables the group to tap into Windows OS, MacOS and Android.
“The main modification seen in the new GravityRAT campaign is multiplatformity,” researchers said. “Besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate.”
Once installed, the spyware receives commands from the server. Commands include Get-command information about the system; search for files on the computer and removable disks (with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods); upload files to the server; get a list of running processes; intercept keystrokes; take screenshots; execute arbitrary shell commands; record audio and scan ports.
The campaign is continuing, mainly targeting victims in India. This continues GravityRAT’s standard victimology. Kaspersky also believes that the malware is spreading in the same way that older versions did such as social media, where targeted individuals are sent links pointing to malicious apps and programs.
“In 2019, The Times of India published an article about the cybercriminal methods used to distribute GravityRAT during the period 2015-2018,” according to the analysis. “Victims were contacted through a fake Facebook account, and asked to install a malicious app disguised as a secure messenger in order to continue the conversation. Around 100 cases of infection of employees at defense, police, and other departments and organizations were identified.”
The main change in the tactics is the investment into expanding the group’s target base, researchers concluded.
“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities,” said Tatyana Shishkova, security expert at Kaspersky, in a statement. “Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible.”