GravityRAT malware now has versions for Android and macOS

Kaspersky Lab experts report that the GravityRAT spyware, which has been used to carry out targeted attacks since at least 2015, is now a multi-platform tool. At least GravityRAT malware has versions for Android and macOS.

This malware was previously used during a cyber espionage campaign aimed at the Indian military, and was originally developed for Windows devices. Now there are new modules aimed at the Android and macOS operating systems.

Researchers found that GravityRAT learned to attack Android

“In 2019, we noticed a malicious module in the Travel Mate travel app for India, the source code of which is available on Github. The attackers took the version of the app that was published on Github in October 2018, added malicious code to it, and renamed it Travel Mate Pro”, — said the researchers.

The discovered sample was found differed from a typical Android spyware: a specific application was selected for its injection, and the malicious code did not resemble any known malware of this type. Therefore, the experts decided to compare the code with the code of programs used to conduct well-known cyber espionage campaigns, and as a result, they found more than ten malicious modules, also belonging to the GravityRAT family.

Versions of GravityRAT malware for Android

The malware is distributed under the mask of legitimate applications (such as secure cloud storage, file sharing, browsers, resume programs or media players) and phishing links to download a supposedly secure messenger to discuss a vacancy.

The malware attacks devices running Windows, Android and MacOS.

The functionality of GravityRAT in most cases remains the same, typical for spyware. For example, the malware transmits device data, a contact list, email addresses, call log data and SMS messages to the C&C server. Some Trojans also searched the device memory for files with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and. opus, and then sent them to the C&C servers.

“We see that the attackers behind the GravityRAT campaign are actively investing in its development. They use clever methods to avoid detection and add modules for different operating systems, which predicts an increase in the number of attacks of this malware in the Asia-Pacific region in the future. The development of the tool is also influenced by the new trend spreading among cybercriminals not to develop new software, but to improve the existing one”, — comment security experts.

Let me remind you about other ways of spreading malware, for example, that Malware spreads and downloads payloads from paste-sites and also about the use of Basecamp platform by hackers.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button