A Windows-based remote access Trojan believed to be designed by Pakistani hacker groups to infiltrate computers and steal users’ data has resurfaced after a two-year span with retooled capabilities to target Android and macOS devices.
According to cybersecurity firm Kaspersky, the malware — dubbed “GravityRAT” — now masquerades as legitimate Android and macOS apps to capture device data, contact lists, e-mail addresses, and call and text logs and transmit them to an attacker-controlled server.
First documented by the Indian Computer Emergency Response Team (CERT-In) in August 2017 and subsequently by Cisco Talos in April 2018, GravityRAT has been known to target Indian entities and organizations via malware-laced Microsoft Office Word documents at least since 2015.
Noting that the threat actor developed at least four different versions of the espionage tool, Cisco said, “the developer was clever enough to keep this infrastructure safe, and not have it blacklisted by a security vendor.”
Then last year, it emerged that Pakistani spies used fake accounts to reach out to more than 98 officials from various defence forces and organizations, such as the Indian Army, Air Force, and Navy, and trick them into installing the malware disguised as a secure messaging app called Whisper.
But even as the latest evolution of GravityRAT goes beyond anti-malware evasion capabilities to gain multi-platform support — including Android and macOS — the overall modus operandi remains the same: sending targets links to booby-trapped Android (e.g., Travel Mate Pro) and macOS apps (Enigma, Titanium) to distribute the malware.
Kaspersky said it found over ten versions of GravityRAT that were being distributed under the guise of legitimate applications by cross-referencing the command-and-control (C2) addresses used by the Trojan.
In all, the trojanized applications spanned across travel, file sharing, media players, and adult comics categories, catering to users of Android, macOS, and Windows, thereby allowing the attackers to grab system information, documents with specific extensions, a list of running processes, record keystrokes and take screenshots, and even execute arbitrary Shell commands.
“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities,” Kaspersky’s Tatyana Shishkova said.
“Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible.”