theDocumentId => 1339218 GravityRAT Spyware Targets Android & MacOS in India

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/19/2020
05:25 PM
50%
50%

GravityRAT Spyware Targets Android & MacOS in India

The Trojan once used in attacks against Windows systems has been transformed into a multiplatform tool targeting macOS and Android.

Researchers have identified GravityRAT, a spying remote access Trojan (RAT) known to target devices in India, in an attack campaign against Android and MacOS devices. The activity was still ongoing at the time their findings were published on Oct. 19.

Related Content:

Trickbot, Phishing, Ransomware & Elections

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

GravityRAT has been active since at least 2015 and primarily focused on Windows operating systems, Kaspersky researchers report, noting the Trojan has been used to target the Indian military services. A couple of years ago, its operators added Android to its list of targets.

The team recently identified a module proving GravityRAT is targeting Android. As far as functionality goes, its capabilities are fairly standard: The spyware sends device data, contact lists, email addresses, and call and text logs to the attackers' command-and-control (C2) server.

However, there are some reasons GravityRAT doesn't look like the usual Android spyware. A victim must choose a specific application in order to launch malicious activity; further, malicious code isn't based on the code of previously known spyware applications. Analysis of the C2 addresses module used revealed several additional versions of GravityRAT, all distributed disguised as legitimate applications such as secure file-sharing apps.

Used together, these modules let the attackers tap into Windows, macOS, and Android, the researchers say.

A 2019 article from The Times of India shows that between 2015 and 2018, GravityRAT victims were contacted through a fake Facebook account and asked to install a malicious app disguised as a secure messaging service. The activity affected about 100 employees of defense, police, and other organizations. The Kaspersky team believes the latest campaign is likely using similar infection techniques. 

Read Kaspersky's full writeup for more details.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26824
PUBLISHED: 2021-07-26
DM FingerTool v1.19 in the DM PD065 Secure USB is susceptible to improper authentication by a replay attack, allowing local attackers to bypass user authentication and access all features and data on the USB.
CVE-2020-12681
PUBLISHED: 2021-07-26
Missing TLS certificate validation on 3xLogic Infinias eIDC32 devices through 3.4.125 allows an attacker to intercept/control the channel by which door lock policies are applied.
CVE-2020-4623
PUBLISHED: 2021-07-26
IBM i2 iBase 8.9.13 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL search order hijacking flaw. By using a specially-crafted .DLL file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 184984.
CVE-2021-20337
PUBLISHED: 2021-07-26
IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.
CVE-2021-20430
PUBLISHED: 2021-07-26
IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196341.