GravityRAT- Windows spyware adjusted to target macOS, Android

GravityRAT is a bit of malware which is named spyware: it helps cybercriminals to steal certain information from infected computers. It is realized that cybercriminals behind this malware target Windows, macOS, and Android devices. If there is a reason to believe that a computer or cell phone is equipped with GravityRAT, it should be removed as soon as possible.

Research shows that GravityRAT can steal data from smartphones, email addresses, call and text records, and contact lists to the Command and Control servers constrained by cybercriminals. It is also able to scan and upload files with the following extensions to the C&C server: .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus. It looks for such records both on the device’s memory and the related devices for certain files.

It is realized that GravityRAT is conveyed through different applications, including WeShare, TrustX, Click2Chat and Bollywood, Sharify, MelodyMate, GoZap, StrongBox, TeraSpace, OrangeVault, CvStyler, SavitaBhabi, Travel Mate Pro. Cybercriminals aim to trick users into introducing these applications by sending their download links. It is worth noting that some of the above applications often use digital signatures to make them appear more trustworthy and genuine. If one of those applications is mounted on the operating system, then GravityRAT may also infect the computer.

In 2018, researchers at Cisco Talos distributed a post on the spyware GravityRAT, used to focus on the Indian military. The Indian Computer Emergency Response Team (CERT-IN) first found the Trojan in 2017. Its makers are accepted to be Pakistani hacker gangs. The campaign has been ongoing since at least 2015 and has previously targeted Windows machines, according to the records. In 2018, however, undergone improvements, with the inclusion of Android devices to the list of targets.

The criminals behind GravityRAT spyware have turned out new versions for macOS and Android unexpectedly.

According to researchers from Kaspersky, the GravityRAT remote access trojan has been around since at least 2015 but has focused largely on Windows operating systems. The last bit of significant advancement news came in 2018 when engineers behind the malware rolled out key improvements to the RAT’s code to minimize antivirus detection.

According to the report, “In 2019, The Times of India published an article on the cybercriminal methods used to spread GravityRAT during the period 2015-2018.” Victims were approached through a fake Facebook account and asked to install a malicious app disguised as a safe messenger to continue the chat. Around 100 cases of employee infection have been reported in security, police, and other agencies and organizations.

How to stop malware installations?

All software and files ought to be downloaded from authentic, reliable sites. It is not necessary to use peer-to-peer networks (like eMule, torrent clients), unauthorized pages, third-party downloaders, free file hosting sites, download pages for freeware, etc. The same applies to third party installers. Avoid opening attachments from irrelevant emails obtained from anonymous, questionable addresses. Usually, such emails are intended to look genuine, official but are used to proliferate malicious software. Therefore, website links and attachments in emails ought to be opened only when there is no reason to believe that it is not safe. . Besides, all installed applications must be upgraded (or, if necessary, activated) with tools and/or features offered by official software developers and not by any third party. They can be intended to hack machines with ransomware, and it is not legal to enable licensed applications by using such techniques. Furthermore, a device with a reputable antivirus or anti-spyware program should be periodically scanned, so the program should still be up to date. To quickly remove penetrated malware, we suggest running a search with Malwarebytes for Windows if you think your computer is already compromised.

IoCs