GravityRAT- Windows spyware adjusted to target macOS, Android

GravityRAT is a bit of malware which is named spyware: it helps cybercriminals to steal certain information from infected computers. It is realized that cybercriminals behind this malware target Windows, macOS, and Android devices. If there is a reason to believe that a computer or cell phone is equipped with GravityRAT, it should be removed as soon as possible.

Research shows that GravityRAT can steal data from smartphones, email addresses, call and text records, and contact lists to the Command and Control servers constrained by cybercriminals. It is also able to scan and upload files with the following extensions to the C&C server: .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus. It looks for such records both on the device’s memory and the related devices for certain files.

It is realized that GravityRAT is conveyed through different applications, including WeShare, TrustX, Click2Chat and Bollywood, Sharify, MelodyMate, GoZap, StrongBox, TeraSpace, OrangeVault, CvStyler, SavitaBhabi, Travel Mate Pro. Cybercriminals aim to trick users into introducing these applications by sending their download links. It is worth noting that some of the above applications often use digital signatures to make them appear more trustworthy and genuine. If one of those applications is mounted on the operating system, then GravityRAT may also infect the computer.

In 2018, researchers at Cisco Talos distributed a post on the spyware GravityRAT, used to focus on the Indian military. The Indian Computer Emergency Response Team (CERT-IN) first found the Trojan in 2017. Its makers are accepted to be Pakistani hacker gangs. The campaign has been ongoing since at least 2015 and has previously targeted Windows machines, according to the records. In 2018, however, undergone improvements, with the inclusion of Android devices to the list of targets.

The criminals behind GravityRAT spyware have turned out new versions for macOS and Android unexpectedly.

According to researchers from Kaspersky, the GravityRAT remote access trojan has been around since at least 2015 but has focused largely on Windows operating systems. The last bit of significant advancement news came in 2018 when engineers behind the malware rolled out key improvements to the RAT’s code to minimize antivirus detection.

According to the report, “In 2019, The Times of India published an article on the cybercriminal methods used to spread GravityRAT during the period 2015-2018.” Victims were approached through a fake Facebook account and asked to install a malicious app disguised as a safe messenger to continue the chat. Around 100 cases of employee infection have been reported in security, police, and other agencies and organizations.

How to stop malware installations?

All software and files ought to be downloaded from authentic, reliable sites. It is not necessary to use peer-to-peer networks (like eMule, torrent clients), unauthorized pages, third-party downloaders, free file hosting sites, download pages for freeware, etc. The same applies to third party installers. Avoid opening attachments from irrelevant emails obtained from anonymous, questionable addresses. Usually, such emails are intended to look genuine, official but are used to proliferate malicious software. Therefore, website links and attachments in emails ought to be opened only when there is no reason to believe that it is not safe. . Besides, all installed applications must be upgraded (or, if necessary, activated) with tools and/or features offered by official software developers and not by any third party. They can be intended to hack machines with ransomware, and it is not legal to enable licensed applications by using such techniques. Furthermore, a device with a reputable antivirus or anti-spyware program should be periodically scanned, so the program should still be up to date. To quickly remove penetrated malware, we suggest running a search with Malwarebytes for Windows if you think your computer is already compromised.

IoCs

Travel Mate Pro — df6e86d804af7084c569aa809b2e2134
iV.dll — c92a03ba864ff10b8e1ff7f97dc49f68
enigma.exe — b6af1494766fd8d808753c931381a945
Titanium — 7bd970995a1689b0c0333b54dffb49b6
Wpd.exe — 0c26eb2a6672ec9cd5eb76772542eb72
Taskhostex.exe — 0c103e5d536fbd945d9eddeae4d46c94
WCNsvc.exe — cceca8bca9874569e398d5dc8716123c
SMTPHost.exe — 7bbf0e96c8893805c32aeffaa998ede4
CSRP.exe — e73b4b2138a67008836cb986ba5cee2f
Chat2Hire.exe — 9d48e9bff90ddcae6952b6539724a8a3
AppUpdater.exe — 285e6ae12e1c13df3c5d33be2721f5cd
Xray.exe — 1f484cdf77ac662f982287fba6ed050d
ZW.exe — c39ed8c194ccf63aab1db28a4f4a38b9
RW.exe — 78506a097d96c630b505bd3d8fa92363
TW.exe — 86c865a0f04b1570d8417187c9e23b74
Whisper — 31f64aa248e7be0be97a34587ec50f67
WeShare —e202b3bbb88b1d32dd034e6c307ceb99
TrustX — 9f6c832fd8ee8d8a78b4c8a75dcbf257
Click2Chat — defcd751054227bc2dd3070e368b697d
Bollywood — c0df894f72fd560c94089f17d45c0d88
Sharify — 2b6e5eefc7c14905c5e8371e82648830
MelodyMate — ee06cfa7dfb6d986eef8e07fb1e95015
GoZap — 6689ecf015e036ccf142415dd5e42385
StrongBox — 3033a1206fcabd439b0d93499d0b57da (Windows), f1e79d4c264238ab9ccd4091d1a248c4 (Mac)
TeraSpace — ee3f0db517f0bb30080a042d3482ceee (Windows), 30026aff23b83a69ebfe5b06c3e5e3fd (Mac)
OrangeVault — f8da7aaefce3134970d542b0e4e34f7b (Windows), 574bd60ab492828fada43e88498e8bd2 (Mac)
CvStyler — df1bf7d30a502e6388e2566ada4fe9c8
SavitaBhabi — 092e4e29e784341785c8ed95023fb5ac (Windows), c7b8e65e5d04d5ffbc43ed7639a42a5f (Android)

Leave a Reply

Your email address will not be published. Required fields are marked *