Developers behind the remote access trojan GravityRAT have made critical changes to the RAT’s code in an attempt to decrease antivirus detection. The location of the developers, known as “The Invincible” and “TheMartian,”is unknown. However, researchers said documents used to test anti-virus detection were submitted from Pakistan.
During a malware analysis made on GravityRAT, researchers discovered that now the RAT has new capabilities like file exfiltration, remote command execution, and anti-vm.
In August 2017, GravityRAT was being used in targeted attacks against India.
GravityRAT’s infection vector is typical: victims are tricked to click on a Word .Docx email attachment to enable macros. By doing so, the victims trigger the infection sequence.
Stage one of the cyber attack undergoes this way a renamed version of the Word .Docx file copied to the targeted system’s Temp directory as a ZIP archive. Next, the infection script decompresses the “temporary.zip” file and extracts an. EXE binary stored in it. Lastly, a third step includes creating a scheduled task, named “wordtest,” to execute the malicious file every day.
This cybersecurity problem can be easily avoided by implementing a robust cybersecurity solution inside every device that you own. Don’t let your guard down! Depending on which OS your device is running it is mandatory to install an antivirus for Windows or antivirus for Mac.
Once infected, GravityRAT targets basic system’s user data and exfiltrate files like .Docx, .Doc, .PPTx, .PPT, .xlsx, .xls, .Rtf and .PDF files. This latest version of the RAT, also, collects the open ports on the victim’s system, lists of all the running processes and steals all the files from any connected USB drive.
The latest GravityRAT version GX, was published in December 2017.
GX version is the most advanced variant of GravityRAT. GX GravityRAT is now embedding open-source legitimate .NET libraries (for schedule tasks, compression, encryption, .NET loading) and It also contains a resource named ‘important.’ which is an archive protected with a password.
This GX version has implemented inside it seven anti-AV detection tools that try to determine if the system is running in a virtual machine environment. Tools include a virtual machine detection function that looks for a VM hypervisor, a Windows Management Instrumentation request that checks the BIOS version in which chase If the response contains: ‘VMware’, ‘Virtual’, ‘XEN’, ‘Xen’ or ‘A M I’ the system is considered as a virtual machine.
Malware attacks made via malicious Microsoft Office documents are very rudimentary, but they are still extremely effective and inexpensive compared to more sophisticated attacks. Over the years, the malicious document attacks have flourished, ranging from document files that drop the banking trojan Dridex, bots such as Kasidet, and Locky ransomware. Attackers working with the BlackEnergy APT group were also spotted using Word documents to drop payloads on Ukrainian users.
If you are a company, remember that the install of an antivirus represents only the first layer of security. To be adequately protected, you must contract a cybersecurity company that will carry some advance cybersecurity tests to your company networks, like penetration tests, and ethical hacking tests. This kind of checks must be made every year because cyber security threats evolve and you must find and fix any cybersecurity flaws as soon as they are discovered.