Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
GravityRAT: The spy returns
GravityRAT: The spy returns
harlan4096 Online
MalWare Zoo Team
*******
Posts: 15,352
Threads: 9,929
Thanks Received: 9,193 in 7,345 posts
Thanks Given: 10,043
Joined: 12 September 18
#1
Bug  20 October 20, 07:41
Quote:
[Image: image3-1.png]

In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its creators are believed to be Pakistani hacker groups. According to our information, the campaign has been active since at least 2015, and previously targeted Windows machines. However, it underwent changes in 2018, with Android devices being added to the list of targets.

Malicious guide

In 2019, on VirusTotal, we encountered a curious piece of Android spyware which, when analyzed, seemed connected to GravityRAT. The cybercriminals had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The attackers used a version of the app published on Github in October 2018, adding malicious code and changing the name to Travel Mate Pro.The spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text logs to the C&C server. In addition, the Trojan searches for files in the device memory and on connected media with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus, and sends these to C&C as well.

The malware does not resemble a “typical” Android spy in that the choice of app is rather specific and the malicious code is not based on that of any known spyware app, as is often the case. As such, we decided to look for connections with known APT families.

The simplest thing to do is to check the C&C addresses used by the Trojan:
  • nortonupdates[.]online:64443
  • nortonupdates[.]online:64443
As it turned out, n3.nortonupdates[.]online:64443 was used by another piece of malware to download data about files found on the computer (.doc, .ppt, .pdf, .xls, .docx, .pptx, .xlsx) together with data about the infected machine. With the aid of Threat Intelligence, we found this malware: a malicious PowerShell script called Enigma.ps1 that executes C# code.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Version 9.6.4 for Windows
Version 9.6.4 for ...harlan4096 — 06:46
AMD confirms focus shifts to RDNA3 and R...
Goodbye Radeon RX ...harlan4096 — 06:45
F-Droid says Google's statement about "S...
A month ago, F-Dro...harlan4096 — 06:44
Google Chrome to enable HTTPS by default...
Google has announc...harlan4096 — 06:41
Revo Registry Cleaner
Revo Registry Cleane...jasonX — 01:51

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>