Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
GravityRAT: The spy returns
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
GravityRAT: The spy returns
harlan4096 Online
MalWare Zoo Team
*******
Posts: 12,797
Threads: 8,840
Thanks Received: 8,732 in 6,893 posts
Thanks Given: 9,634
Joined: 12 September 18
#1
Bug  20 October 20, 07:41
Quote:
[Image: image3-1.png]

In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its creators are believed to be Pakistani hacker groups. According to our information, the campaign has been active since at least 2015, and previously targeted Windows machines. However, it underwent changes in 2018, with Android devices being added to the list of targets.

Malicious guide

In 2019, on VirusTotal, we encountered a curious piece of Android spyware which, when analyzed, seemed connected to GravityRAT. The cybercriminals had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The attackers used a version of the app published on Github in October 2018, adding malicious code and changing the name to Travel Mate Pro.The spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text logs to the C&C server. In addition, the Trojan searches for files in the device memory and on connected media with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus, and sends these to C&C as well.

The malware does not resemble a “typical” Android spy in that the choice of app is rather specific and the malicious code is not based on that of any known spyware app, as is often the case. As such, we decided to look for connections with known APT families.

The simplest thing to do is to check the C&C addresses used by the Trojan:
  • nortonupdates[.]online:64443
  • nortonupdates[.]online:64443
As it turned out, n3.nortonupdates[.]online:64443 was used by another piece of malware to download data about files found on the computer (.doc, .ppt, .pdf, .xls, .docx, .pptx, .xlsx) together with data about the infected machine. With the aid of Threat Intelligence, we found this malware: a malicious PowerShell script called Enigma.ps1 that executes C# code.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
AdGuard for Mac 2.14
AdGuard for Mac 2....harlan4096 — 09:03
AdGuard VPN for Mac 2.3
AdGuard VPN for Ma...harlan4096 — 08:58
INTEL Arc Graphics 31.0.101.5444
INTEL Arc Graphics...harlan4096 — 08:56
AMD “Strix Halo” Zen5 & RDNA3.5 premium ...
AMD first ultra-hi...harlan4096 — 08:54
Malwarebytes 5.1.3.110
Malwarebytes 5.1.3...Mohammad.Poorya — 00:51

[-]
Birthdays
Today's Birthdays
avatar (42)techlignub
avatar (41)Stevenmam
avatar (48)onlinbah
Upcoming Birthdays
avatar (43)wapedDow
avatar (49)steakelask
avatar (43)Termoplenka
avatar (41)bycoPaist
avatar (47)pieloKat
avatar (41)ilyagNeexy
avatar (49)donitascene
avatar (49)Toligo

[-]
Online Staff
There are no staff members currently online.

>