Sunday, February 9, 2025
HomeMalwareGravityRAT - A Powerful Remote Access Trojan Conducting an APT Cyber Attack...

GravityRAT – A Powerful Remote Access Trojan Conducting an APT Cyber Attack in India, US and UK

Published on

SIEM as a Service

Follow Us on Google News

A newly uncovered APT Malware called GravityRAT deployed by a hacking group to attack various sectors in India, US, and UK.

This GravityRAT remote access trojan has been under continuous development for the last 2 years by skilled cyber criminals and increased a lot of future to maintain the persistence.

It has been distributed with new futures beyond traditional remote code execution and anti-VM techniques.

GravityRAT has been already observed by National Computer Emergency Response Team (CERT) of India and warned about the seriousness of this attack which mainly targeting India.

National CERT reported to block the IOCs at the network perimeter/gateway level and also warned to check the logs for any communication from hosts.

Hackers Origin

The researchers believe that the attackers could be using a proxy or a VPN  in order to evade the identification of the origin where the attack controls this Malware.

According to Talos Researchers, specific cybercriminals used at least two different usernames in the past two years: “The Invincible” and “TheMartian.”

Apart from this based on the malicious document submission, more specifically the documents used to test anti-virus on VirusTotal, were submitted from Pakistan.

Based on the Command and control server request, a large amount of C2 server traffic requested from India and other Traffic comes from US and UK.

GravityRAT Infection Vector

Cyber criminals Mainly used the Word Document as an initial infection vector and embedded Macro used within the crafted document to execute the malicious code on victims computers.

Once infected users open the malicious document, it forces victims to enable macro code in order to execute the payload which packed as-as Zip file that contains a Malicious exe file.

Attacker tested their malicious document several in Virustotal to make sure the document shouldn’t be detected by any antivirus engine and if its detected they modifying the file structure in order to evade the detection.

Their multiple versions were uncovered by researchers that stealing different sensitive information and files from the vicitms computer such as,

  • MAC Address
  • Computer name
  • Username
  • IP address
  • Date
  • Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf
  • The volumes mapped on the system

The latest version of the GravityRAT  collecting information on the system account (account type, description, domain name, full name, SID, and status)

Each new variant of this remote access trojan has different new future and the developer used the same C2 infrastructure for this time to established communication from victims.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Cybercriminals are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to...