Kaspersky researchers discovered many new GravityRAT malware versions that can now infect not just Windows but can also infect Android and macOS systems.
GravityRAT was discovered in 2015 as a Windows-centric remote access Trojan that was mostly used to attack the Indian armed services, impacting at least 100 victims, as per Kaspersky. The latest variations, on the other hand, are intended to target Indian customers by disguising themselves as a travel app in order to distribute the malware.
Kaspersky researchers discovered one of the first of the new variants in 2019, but more were discovered during the year. As per the study, the experts recently connected all of them to the administrators behind GravityRAT.
One of the most recent GravityRat variations was placed in what seemed to be Travel Mate Pro, an Android travel app, which spoofs the authentic Travel Mate app. When experts studied the code, they discovered that it was a GravityRAT variation. As per the research, an additional investigation discovered at least ten more variations functioning in the open, either posing as legal programs or as malicious links in social media postings delivered to potential targets.
“Victims were contacted through a fake Facebook account and asked to install a malicious app disguised as a secure messenger in order to continue the conversation,” the report states.
According to Tatyana Shishkova, a security researcher at Kaspersky, the dangerous smartphone version is not disseminated via the Google Play Store. Hackers may disseminate it by luring users to specially designed websites where they can potentially access the infected links utilizing social engineering.
According to the Kaspersky research, GravityRAT versions employ a range of coding languages, including .NET, Python, and C+.
“Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible,” Shishkova tells Information Security Media Group.
Travel App Trap
Travel Mate Pro malware delivers device information, contact information, e-mail addresses, plus text and call logs to a command-and-control server. It also scans the device and linked media for files with extensions .jpeg, .jpg, .png, .log, .pdf, .txt, .doc, .xml, .xlsx, .xls, .pptx, .ppt, .opus, and .docx before exfiltrating the content.
According to Shishkova, whilst the malware’s primary objective is data collection, the spyware’s controllers have also introduced fresh functions. This contains a capability that enables the virus to operate as a backdoor or run arbitrary instructions on the infected system, as well as to install and launch other modules.
Linked To Pakistan?
As per a Cisco Talos assessment from 2018, the cyber gang behind this virus is thought to have ties to Pakistan.
GravityRAT was also linked to a Pakistani espionage organization that sought to download the spyware on gadgets belonging to personnel of the Indian armed forces, navy, air force, paramilitary forces, as well as police officials, according to a 2019 report in the Times of India.
Warning About Applications
Whilst GravityRAT spyware wasn’t identified in Google Play Store applications, cybersecurity experts are concerned about additional malware infiltrating legitimate app shops as well as harmful code discovered in unauthorized third-party stores.
For example, in September, security agencies Zscaler and Zimperium separately issued studies revealing that a malware named Joker has been targeting Android users. It was discovered on Google Play and also third-party app stores.