steven36 Posted October 20, 2020 Share Posted October 20, 2020 GravityRAT, a malware strain known for checking the CPU temperature of Windows computers to detect virtual machines or sandboxes, is now multi-platform spyware as it can now also be used to infect Android and macOS devices. The GravityRAT Remote Access Trojan (RAT) has been under active development by what looks like Pakistani hacker groups since at least 2015 and has been deployed in targeted attacks against Indian military organizations. New versions infect Android and macOS devices While the malware authors previously focused their efforts on targeting Windows machines, a sample discovered by Kaspersky researchers last year shows that they are now adding macOS and Android support. They are now also signing their code using digital signatures to make their booby-trapped apps look legitimate. The updated RAT sample was detected while analyzing an Android spyware app (i.e., Travel Mate Pro) that steals contacts, emails, and documents which get sent to the nortonupdates[.]online command-and-control server also used by two other malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms. Spyware malware dropped by these malicious apps on infected devices runs multiplatform code and it allows attackers to send commands to: get information about the system search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server get a list of running processes intercept keystrokes take screenshots execute arbitrary shell commands record audio (not implemented in this version) scan ports "Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT," researchers at Kaspersky found. "Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. "Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android." Delivered via links to booby-trapped apps Kaspersky has also found applications developed in .NET, Python, and Electron, often as clones of legitimate apps, that will download GravityRAT payloads from the C&C server and add a scheduled task on the infected device to gain persistence. Roughly 100 successful attacks using this RAT were detected between 2015 and 2018, with defense and police employees getting infected after being tricked via Facebook to install a "secure messenger" according to reports. While the infection vector in the case of these updated samples remains unknown, Kaspersky says that targets are probably being sent download links to the malicious apps just as it happened in the past. "Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities," Kaspersky security expert Tatyana Shishkova said. "Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible." Source Link to comment Share on other sites More sharing options...
Sylence Posted October 20, 2020 Share Posted October 20, 2020 Every new malware that's being found is by Kaspersky. That's the name I'm hearing all the time. they're doing a great job, and then some government label them as unsafe. Lol that explains everything. if you don't have any enemies, you're doing something wrong Link to comment Share on other sites More sharing options...
steven36 Posted October 20, 2020 Author Share Posted October 20, 2020 That dont make no sense because everybody has enemies these old methods of detecting malware for the app is ok but not effective against attacks in the service itself you need AI to detect Phishing . Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.