Kaspersky Lab experts reportthat GravityRAT spyware, which has been used to carry out targeted attacks since at least 2015, is now a multi-platform tool. This malware was previously used during a cyber espionage campaign aimed at the Indian military, and was originally developed for Windows devices. Now there are new modules aimed at the Android and macOS operating systems.
Researchers discovered that GravityRAT learned to attack Android as well when they spotted a malicious module in the Travel Mate travel app for India in 2019, the source code of which is Github… The attackers took the version of the application that was published on Github in October 2018, added malicious code to it, and changed the name to Travel Mate Pro.
The sample found differed from a typical Android spyware: a specific application was selected for its injection, and the malicious code did not resemble any known malware of this type. Therefore, the experts decided to compare the code with the code of programs used to conduct well-known cyber espionage campaigns, and as a result, they found more than ten malicious modules, also belonging to the GravityRAT family.
The malware is distributed under the guise of legitimate applications (such as secure cloud storage, file sharing, browsers, resume programs or media players) and phishing links to download a supposedly secure messenger to discuss a vacancy. The malware attacks devices running Windows, Android and MacOS.
The functionality of GravityRAT in most cases remains the same, typical for spyware. For example, the malware transmits device data, a contact list, email addresses, call log data and SMS messages to the C&C server. Some Trojans also searched the device memory for files with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and. opus, and then sent them to the C&C servers too.
“We see that the attackers behind the GravityRAT campaign are actively investing in its development. They use clever methods to avoid detection and add modules for different operating systems, which predicts an increase in the number of attacks of this malware in the Asia-Pacific region in the future. The development of the tool is also influenced by the trend that is widespread among cybercriminals not to develop new software, but to improve the existing one, ”comments Tatyana Shishkova, security expert at Kaspersky Lab.