GravityRAT
GravityRAT is a Remote Access Trojan, which has been around for more than two years, and its author appears to be releasing regular updates, which aim to improve the threat's ability to avoid forensic tools, as well as to introduce new features that would allow it to exfiltrate valuable information from the compromised computer. The first version of GravityRAT that malware researchers were able to identify and dissect did not offer much regarding features, but it did give its operators a toolkit that would allow them to exfiltrate hardware and software information from the infected PC, as well as collect files that use the following extensions:
.docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf
The cybercrooks behind GravityRAT appear to be spreading their unsafe program via fake e-mail attachments and, judging by the files uploaded to a popular online scanning service, they are trying to use diverse file formats, as well as different Microsoft Office macro scripts to execute the attack. The infection occurs via a simple office document which, when opened, prompts the user to enable the execution of macros to view the contents. While Microsoft Office does display a warning that this should only be permitted for trustworthy documents, many users might ignore the warning and end up executing a harmful macro script unknowingly, which downloads and deploys GravityRAT's payload.
It is intriguing to see that the authors of GravityRAT have probably spent more time trying to hide their threat's behavior from malware researchers instead of packing features that would allow them to gain access to more precious information. Newer variants support extra features such as the ability to discover open/unsecured ports, list processes, view running services, encrypt outgoing data, exfiltrate more file types and collect data from connected USB devices. While these features are unsafe, they are not as impressive as the ones found in other modern Remote Access Trojans. However, the cybercrooks use interesting checks and techniques to keep their threat away from Virtual Machines:
- The Trojan checks the number of available CPU cores on the system and terminates itself if it only spots one core (Virtual Machines usually utilize just one CPU core).
- The Trojan requests hardware temperature information that most virtual boxes are unlikely to provide and terminates itself if the data is not available.
- The Trojan checks if the account name contains specific strings such as 'VMBox,' 'Virtual Machine' and others.
- The Trojan checks the list of running processes for any processes names that are linked to popular malware forensic analysis tools.
- The Trojan compares the MAC address to the ones used by popular virtual machine emulation software.
Spotting GravityRAT on your computer is nearly impossible since the threat is meant to work silently without causing any issues that may warn the user that there is something shady going on their computers. This is why the best way to ensure that the GravityRAT is not running on your computer is to use a reputable and updated anti-malware software suite.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.