A Home windows-based mostly remote obtain Trojan believed to be created by Pakistani hacker groups to infiltrate computers and steal users’ information has resurfaced after a two-year span with retooled capabilities to concentrate on Android and macOS equipment.
In accordance to cybersecurity organization Kaspersky, the malware — dubbed “GravityRAT” — now masquerades as genuine Android and macOS apps to seize machine knowledge, get hold of lists, e-mail addresses, and phone and textual content logs and transmit them to an attacker-managed server.
First documented by the Indian Pc Unexpected emergency Response Workforce (CERT-In) in August 2017 and subsequently by Cisco Talos in April 2018, GravityRAT has been known to target Indian entities and companies via malware-laced Microsoft Office Phrase files at least due to the fact 2015.
Noting that the danger actor produced at the very least four various variations of the espionage resource, Cisco reported, “the developer was clever enough to hold this infrastructure secure, and not have it blacklisted by a protection vendor.”
Then very last year, it emerged that Pakistani spies used pretend Facebook accounts to get to out to more than 98 officials from several defence forces and organizations, these kinds of as the Indian Military, Air Force, and Navy, and trick them into installing the malware disguised as a safe messaging app called Whisper.
But even as the most recent evolution of GravityRAT goes further than anti-malware evasion abilities to achieve multi-platform assist — such as Android and macOS — the overall modus operandi continues to be the exact same: sending targets back links to booby-trapped Android (e.g., Travel Mate Professional) and macOS applications (Enigma, Titanium) to distribute the malware.
Kaspersky claimed it found around 10 versions of GravityRAT that have been staying dispersed below the guise of authentic programs by cross-referencing the command-and-handle (C2) addresses used by the Trojan.
In all, the trojanized apps spanned throughout journey, file sharing, media gamers, and adult comics classes, catering to end users of Android, macOS, and Home windows, therefore permitting the attackers to grab technique information, paperwork with particular extensions, a list of working processes, history keystrokes and get screenshots, and even execute arbitrary Shell commands.
“Our investigation indicated that the actor driving GravityRAT is continuing to devote in its spying capacities,” Kaspersky’s Tatyana Shishkova explained.
“Cunning disguise and an expanded OS portfolio not only let us to say that we can hope much more incidents with this malware in the APAC location, but this also supports the wider pattern that destructive customers are not essentially targeted on producing new malware, but creating tested kinds in its place, in an attempt to be as successful as achievable.”