Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

GravityRAT malware also targets Android and macOS

Researchers spotted new variants of the Windows GravityRAT spyware that now can also infect Android and macOS devices. Researchers from Kaspersky Lab have spotted new variants of the GravityRAT malware that now can be also used to infect Android and macOS devices. GravityRAT is a malware strain known for checking the CPU temperature of Windows computers […]

gravityRAT

Researchers spotted new variants of the Windows GravityRAT spyware that now can also infect Android and macOS devices.

Researchers from Kaspersky Lab have spotted new variants of the GravityRAT malware that now can be also used to infect Android and macOS devices.

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

“Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years [since 2015] while it continues to be developed.” reads an analysis published by Cisco Talos that spotted the malware back in 2017 when it was used by an APT group targeting India.

The sample analyzed by Kaspersky last year is able to infect macOS and Android devices, unlike past variants that were focused on Windows.

Crooks also started using digital signatures to make the apps look more legitimate.

The malware researchers found the new Android GravityRAT sample in 2019, on VirusTotal. The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

gravityRAT

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server (nortonupdates[.]online). The C&C server was also associated with other two malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • record audio (not implemented in this version)
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

The researchers reported that the malware was employed in approximately 100 successful attacks between 2015 and 2018. The list of targets includes employees at defense, police, and other departments and organizations.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation, the attackers contacted the victims through a fake Facebook account. The attackers likely sent to the victims download links.

“It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps.” concludes Kaspersky.

“The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GravityRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]