Windows GravityRAT Malware Targets macOS and Android Devices

Today, we're going to discuss the Windows GravityRAT Malware, which targets macOS and Android devices.

It is a piece of malware that is classified as spyware. From infected devices, hackers can steal certain data. It mainly targets Windows, Android, and macOS users. It is distributed via various applications, including WeShare, TrustX, Click2Chat, and Bollywood, Scarify, MelodyMate, GoZap, StrongBox, TeraSpace, OrangeVault, CvStyler. If one of those apps is installed on the Operating System, the device will get infected with GravityRAT as well.

After a two-year hiatus with Windows-based remote access Trojan, Pakistani hacker groups re-emerged, targeted for Android and macOS devices, which are believed to have been designed by hacker groups to infiltrate computers and steal users' data.

According to cybersecurity firm Kaspersky, the malware - known as "gravity rat" - is now a legitimate Android and macOS application that seizes device data, contact lists, email addresses, calls, and text logs and transfers them to an attacker's controlled server.

Gravity Rat, first recorded by the Indian Computer Emergency Response Team (CRT-IN) in August 2017 and then by Cisco Talos in April 2018, has been known to target Indian companies and organizations through malicious Microsoft Office Word documents since 2015.

Last year, it came out that more than 98 officials from various defense forces and organizations, including the Indian Army, Air Force, and Navy, were approached, and Pakistani spies used fake Facebook accounts and tricked them into installing a disguised malware. Whisper is a secure messaging app.
Although GravityRat's latest evolution has overtaken anti-malware capabilities to gain multi-platform support, including Android and macOS - the overall modus operation remains the same: Bobby-Trapped sends target links to distribute (e.g., malware to distribute malware).

Kaspersky said it had found more than a dozen versions of GravityRat, which were cross-referenced to command and control (C2) addresses used by the Trojan and distributed under the guise of legitimate applications. "Our investigation indicates that the actor behind Gravity Rat continues to invest in its espionage," said Tatiana Shishkova of Kaspersky.

"The strategic role and expanded OS portfolio not only allow us to say that more events can be expected with this malware in the APAC sector, but malware users should not focus on developing new malware, but rather on developing proven ones. Instead, in an effort to be as successful as possible."

More than a dozen versions of cross-referenced Gravity Mice have been found to command and control C2 addresses used by the Trojan and distributed under the guise of legitimate applications.

The Trojanized applications take care of users traveling, file sharing, media players, adult comics sections. It caters to Android, macOS, and Windows, allowing the attackers to grab system information by the processes, keystrokes, take screenshots, and run arbitrary shell commands.

"The strategic role and expanded OS portfolio not only allow us to say that more events can be expected with this malware in the APAC sector, but that malicious users should not focus on developing new malware, but rather on developing proven ones, rather than trying to be as successful as possible."

We can only prevent malware infections by referring to them in advance.  We should download software from official, trustworthy websites. Avoid third party downloaders, free file hosting sites, freeware downloaded pages and unofficial pages for downloading. Did not open the files attached to irrelevant emails that are received from unknown, suspicious addresses. Additionally, all installed programs must be updated (or activated if necessary) with tools and/or functions provided by software developers, not some third parties.

Additionally, computers need to be scanned regularly with antivirus or anti-spyware software, and that software is always up-to-date.