It has been distributed with new futures beyond traditional remote code execution and anti-VM techniques.
GravityRAT has been already observed by National Computer Emergency Response Team (CERT) of India and warned about the seriousness of this attack which mainly targeting India.
National CERT reported to block the IOCs at the network perimeter/gateway level and also warned to check the logs for any communication from hosts.
The researchers believe that the attackers could be using a proxy or a VPN in order to evade the identification of the origin where the attack controls this Malware.
According to Talos Researchers, specific cybercriminals used at least two different usernames in the past two years: “The Invincible” and “TheMartian.”
Apart from this based on the malicious document submission, more specifically the documents used to test anti-virus on VirusTotal, were submitted from Pakistan.
Based on the Command and control server request, a large amount of C2 server traffic requested from India and other Traffic comes from US and UK.
GravityRAT Infection Vector
Cyber criminals Mainly used the Word Document as an initial infection vector and embedded Macro used within the crafted document to execute the malicious code on victims computers.
Once infected users open the malicious document, it forces victims to enable macro code in order to execute the payload which packed as-as Zip file that contains a Malicious exe file.
Attacker tested their malicious document several in Virustotal to make sure the document shouldn’t be detected by any antivirus engine and if its detected they modifying the file structure in order to evade the detection.
Their multiple versions were uncovered by researchers that stealing different sensitive information and files from the vicitms computer such as,
- MAC Address
- Computer name
- IP address
- Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf
- The volumes mapped on the system
The latest version of the GravityRAT collecting information on the system account (account type, description, domain name, full name, SID, and status)
Each new variant of this remote access trojan has different new future and the developer used the same C2 infrastructure for this time to established communication from victims.