Threat Watch

GravityRAT Returns, Targeting Android Devices

Researchers at Kaspersky Labs published a technical report about Microsoft Windows malware known as GravityRAT that was previously seen in 2017 and 2018 targeting the Indian armed forces. The researchers believe that the Windows version of this threat has been around since at least 2015, and attributed its creation to a Pakistani hacker group. In 2018, an Android version was added. In the most recent iteration that was reported on October 19th, 2020, the malware was inserted into a legitimate Android app called Travel Mate and distributed as an “upgraded” version called Travel Mate Pro. The attackers took a version of the Travel Mate app that was published on Github in October 2018, and added malicious code that allowed it to surreptitiously collect contact lists, e-mail addresses, call and text logs, and copies of any files that could be images, text files, Word documents, spreadsheets, and PowerPoint presentations.  The Android malware connects to a Command and Control (C2) server using the same domain as does a PowerShell variant that executes C# code, as well as a Visual Basic Script (VBS) template that was embedded inside a DLL in a PyInstaller container, concealed inside another fake software application called Enigma that purported to defend against ransomware.

ANALYST NOTES

Although this particular malware may primarily target armed forces in India, the concept of multi-platform malware disguised as legitimate applications is a threat that all organizations need to consider as part of their threat model. Especially as employees continue to work from home and access sensitive data files on personal mobile devices, it is increasingly difficult for security teams to control what other apps are installed and prevent employees from accidentally installing spyware. It is important to educate employees about the dangers of installing software from unknown sources, even when the applications appear to be polished and perform a useful function, such as helping with travel or “protecting” devices from ransomware. These spyware applications can appear to function normally while stealing company document files in the background. Mobile Device Management (MDM) solutions help monitor unusual app behavior on mobile devices, while Endpoint Detection and Response (EDR) is valuable for detecting potential threat activity on workstations, laptops, and servers. None of these solutions does any good unless they are monitored by security personnel who can properly assess risk and take action to respond quickly when threats are detected.

For more technical details and analysis, please see the Kaspersky report here: https://securelist.com/gravityrat-the-spy-returns/99097/