Thursday, December 5, 2024
HomeMalwareGravityRAT - A Powerful Remote Access Trojan Conducting an APT Cyber Attack...

GravityRAT – A Powerful Remote Access Trojan Conducting an APT Cyber Attack in India, US and UK

Published on

SIEM as a Service

A newly uncovered APT Malware called GravityRAT deployed by a hacking group to attack various sectors in India, US, and UK.

This GravityRAT remote access trojan has been under continuous development for the last 2 years by skilled cyber criminals and increased a lot of future to maintain the persistence.

It has been distributed with new futures beyond traditional remote code execution and anti-VM techniques.

- Advertisement - SIEM as a Service

GravityRAT has been already observed by National Computer Emergency Response Team (CERT) of India and warned about the seriousness of this attack which mainly targeting India.

National CERT reported to block the IOCs at the network perimeter/gateway level and also warned to check the logs for any communication from hosts.

Hackers Origin

The researchers believe that the attackers could be using a proxy or a VPN  in order to evade the identification of the origin where the attack controls this Malware.

According to Talos Researchers, specific cybercriminals used at least two different usernames in the past two years: “The Invincible” and “TheMartian.”

Apart from this based on the malicious document submission, more specifically the documents used to test anti-virus on VirusTotal, were submitted from Pakistan.

Based on the Command and control server request, a large amount of C2 server traffic requested from India and other Traffic comes from US and UK.

GravityRAT Infection Vector

Cyber criminals Mainly used the Word Document as an initial infection vector and embedded Macro used within the crafted document to execute the malicious code on victims computers.

Once infected users open the malicious document, it forces victims to enable macro code in order to execute the payload which packed as-as Zip file that contains a Malicious exe file.

Attacker tested their malicious document several in Virustotal to make sure the document shouldn’t be detected by any antivirus engine and if its detected they modifying the file structure in order to evade the detection.

Their multiple versions were uncovered by researchers that stealing different sensitive information and files from the vicitms computer such as,

  • MAC Address
  • Computer name
  • Username
  • IP address
  • Date
  • Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf
  • The volumes mapped on the system

The latest version of the GravityRAT  collecting information on the system account (account type, description, domain name, full name, SID, and status)

Each new variant of this remote access trojan has different new future and the developer used the same C2 infrastructure for this time to established communication from victims.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

Thinkware Cloud APK Vulnerability Allows Code Execution With Elevated Privileges

A critical vulnerability identified as CVE-2024–53614 has been discovered in the Thinkware Cloud APK...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...