Malware Threat Report: What is GravityRAT and How Does it Work?

GravityRAT malware infects systems and steals files, often targeting corporate and government entities in India. The malware uses a variety of methods to evade detection, including encrypted communication and a feature that lists available services on the system.

GravityRAT Malware Capabilities:

• GravityRAT may use various techniques to evade detection and analysis, including encrypting or obfuscating its contents, communicating using application layer protocols associated with web traffic, and trying to gather information about registered local system services.
• GravityRAT may collect sensitive data from removable media devices connected to a compromised system, as well as from the system itself. This data may be exfiltrated from the system.
• GravityRAT may attempt to collect information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Additionally, it may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Finally, it may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
• GravityRAT is a remote access trojan (RAT) that may be used to gain unauthorized access to a system. GravityRAT may communicate using a protocol and port paring that are typically not associated, making it difficult to detect and analyze. GravityRAT may also look for details about the network configuration and settings of systems they access, including IP and MAC addresses, in order to gain access.
• GravityRAT may use various methods to avoid detection and analysis, including checking for virtualization artifacts and altering its behavior accordingly. It may also use the Windows command shell for execution, which provides a wide range of capabilities.
• GravityRAT may attempt to collect information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. Additionally, GravityRAT may use Windows Dynamic Data Exchange to execute arbitrary commands. Finally, if GravityRAT believes their malicious tool was detected, quarantined, or otherwise curtailed, they may remove indicators from the tool in order to avoid detection.

Ways to Mitigate GravityRAT Malware Attacks Capabilities

• GravityRAT can be mitigated by detection of file obfuscation, analysis of network data, and system and network discovery techniques. These methods can help to identify suspicious activity and prevent the malware from causing damage.
• GravityRAT can be used to collect files from a system, and this can be mitigated by monitoring processes and command-line arguments for suspicious activity. Additionally, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, so these should also be monitored.
• GravityRAT can be mitigated by monitoring process execution and scheduled tasks for changes that do not correlate with known software or patch cycles. System and network discovery techniques can also help to identify GravityRAT activity.
• GravityRAT can be mitigated by analyzing packet contents and network data for unusual activity, and by viewing data and events as part of a chain of behavior that could lead to other activities.
• GravityRAT can be mitigated by analyzing network data for unusual data flows, detecting actions related to virtualization and sandbox identification, and monitoring for suspicious processes. Scripts should be captured from the file system to determine their actions and intent.
• GravityRAT can be mitigated by monitoring processes for abnormal behavior, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes.