GravityRAT is quickly evolving type of malware/trojan called a Remote Access Trojan. These threats are very insidious as they are lurking everywhere in virtual world.
It first appeared in early 2016 and remained hard to detect. It has already been observed by National Computer Emergency Response Team and warned about the seriousness of this attack as it was affecting India,the UK and US.
Malicious PowerShell scripts are a key ingredient to many fileless malware. Windows PowerShell is a built-in tool based on the .NET framework comprising a command-line shell, an interface that lets users access services of the operating system (OS), and a programming language that can be used to create scripts. PowerShell is designed to automate system administration tasks, such as view all USB devices, drives, and services installed in the system, schedule a series of commands and set it in the background, or terminate processes (like Task Manager).
It first appeared in early 2016 and remained hard to detect. It has already been observed by National Computer Emergency Response Team and warned about the seriousness of this attack as it was affecting India,the UK and US.
The Malware authors using various techniques file exfiltration ,command and control execution capability and using testing files on virustotal to check antivirus capability to detect.
GravityRAT infects systems via social media tricks such as spam email with malicious documents, links, malvertising campaigns or exploits of vulnerable websites, and takes advantage of exploits kits, VB Macros etc.
Testing by the Author
The first image shows object frame that attacker has created for testing the AV on virustotal.
Testing by embedding a frame.
Downloading putty.exe for testing.
GravityRAT infection path.
Most of the word documents and xlsx are hewed in such a way by the attacker which makes it' hard to understand normal user. The malware author embedding macro inside the object of MS Document/XLSX.
The above image shows you the actual malicious doc embedded with macro with the specific code.
This doc is actually an archive file which you can extract through 7zip and can look what exactly that doc is embedded with.
Look into the above image where actual code which is inside the macro.
- The first function which is highlighted above is executed when the document is opened which actually copies the active document in %TEMP% directory in temporary.zip file.
- The second function extract the .exe file stored in it.
- Third function creates a schedule task, named 'wordtest' to execute this malicious file everyday.
So, there is no direct execution of the ,document in order to make itself undetected.
Extracted media files from the malicious doc archive.
The following extracted image4.exe is hazardous DOTnet file which is executing intelcorenew.exe which actually remote access trojan which is sending information to the server.
- Firstly, Its looking for the internet connection and take a sleep of 60000 secs and then looking for PC information in order to fool the antivirus.
- Creating files to save information about the root directory and other directories.
- Creating an array to get the the path where they can store the specific ext files.
- Steal information of the files with specific extensions.
- Looking for the Specific active domains at the time.
IOC's:
List of CnC servers are communicating through the http connection.
Md5's and Sha's:
0c926bc924f2b1e843aec259e2bd5f42
3ca8df24f434419a25d3de9bc234f7de
ec629f648434fc3d17e9561532d038c8
96cf8b0bd06a70a09774a38046cbd42a
URI:
Malware stealing several information such as Username, ComputerName etc.
Registry changes activity so that it can execute silently after every reboot or a day.
National CERT mentions that C2 server infrastructure of GravityRAT shows that author was specifically targeting Indian entities/Organizations.
The author has leaked the information within the samples how he has tested the sample in order to decrease the detection ratio across several AVengines . All the samples were uploaded from Pakistan to virustotal which clearly shows author was using VPN connection.
Precautionary Measures
Steps to follow:
- Don't open any attachment from unknown source.
- Verify it by using 7zip is it archive or normal doc by right clicking on the doc. if it's showing extract option which means it's an archive.
- General names : Invoice.doc, Bank_payment.doc etc.
- if any suspicious indicator found upload on virustotal.com and verify.
- Update antivirus and your system everyday.