GravityRAT, a malware allegedly designed by Pakistani hackers, has recently been updated further and equipped with anti-malware evasion capabilites, Maharashtra cybercrime officials said.
The RAT was first detected by Indian Computer Emergency Response Team, CERT-In, on various computers in 2017. It is designed to infliltrate computers and steal the data of users, and relay the stolen data to Command and Control centres in other countries. The ‘RAT’ in its name stands for Remote Access Trojan, which is a program capable of being controlled remotely and thus difficult to trace.
Mask presence
Maharashtra cybercrime department officials said that the latest update to the program by its developers is part of GravityRAT’s function as an Advanced Persistent Threat (APT), which, once it infiltrates a system, silently evolves and does long-term damage.
“GravityRAT is unlike most malware, which are designed to inflict short term damage. It lies hidden in the system that it takes over and keeps penetrating deeper. According to latest inputs, GravityRAT has now become self aware and is capable of evading several commonly used malware detection techniques,” an officer of the cybercrime unit said.
One such technique is ‘sandboxing’, to isolate malware from critical programs on infected devices and provide an extra layer of security.
“The problem, however, is that malware needs to be detected before it can be sandboxed, and GravityRAT now has the ability to mask its presence. Typically, malware activity is detected by the ‘noise’ it causes inside the Central Processing Unit, but GravityRAT is able to work silently. It can also gauge the temperature of the CPU and ascertain if the device is carrying out high intensity activity, like a malware search, and act to evade detection,” another officer said.
email attachment
Officials said that GravityRAT infiltrates a system in the form of an innocuous looking email attachment, which can be in any format, including MS Word, MS Excel, MS Powerpoint, Adobe Acrobat or even audio and video files.
“The hackers first identify the interests of their targets and then send emails with suitable attachments. Thus a document with ‘share prices’ in the file is sent to those interested in the stock market. Once it is downloaded, it prompts the user to enter a message in a dialogue box, purportedly to prove that the user is not a bot. While the users take this to be a sign of extra security, the action actually initiates the process for the malware to infiltrate the system, triggering several steps that end with GravityRAT sending data to the Command and Control server regularly,” an officer said.
The other concern is that the Command and Control servers are based in several countries. The data is sent in an encrypted format, making it difficult to detect exactly what is leaked.
Special Inspector General of Police (Cyber) Brijesh Singh of Maharashtra Police said, “We urge people to follow basic cyberhygiene like watching what they download, updating their anti-virus software and conducting cyber security reviews regularly.” CERT-In had issued an alert for it last year, with an advisory asking users to review cybersecurity measures and update anti-malware tools.
