'GravityRAT' Windows spyware modified to infect macOS, Android
A strain of malware called GravityRAT, known for spying on Windows machines, has been adapted to infect both Android and macOS devices, according to a new report.
Although most remote access trojans (RAT) target Windows devices, ones that affect Macs have surfaced from time to time. In the case of GravityRAT, it appears that the group responsible for the malware have introduced support for both the macOS and Android operating systems.
Security researchers at Kaspersky have discovered an updated strain of GravityRAT while analyzing an Android spyware app. During the analysis, the researchers identified a server used by two other malicious apps targeting Windows and macOS.
"Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users' devices from encrypting Trojans, or media players," the researchers wrote.
GravityRAT is spyware known for checking the CPU temperature of computers in an effort to detect running virtual machines. Malicious code dropped by the RAT can be used to perform a range of cyber espionage, however.
According to Kaspersky, the trojan can allow attackers to send commands that get information about a system; search for files on a machine; intercept keystrokes; take screenshots; execute arbitrary shell commands; and get a list of running processes.
The researchers found apps written in Python, Electron, and .NET that will download GravityRAT payloads from a command and control server. From there, the malware adds scheduled tasks to gain persistence. Oftentimes, the malicious apps are clones of legitimate ones.
It's unclear who exactly developed and maintains the GravityRAT malware, though it's largely thought to be tied to Pakistani hacker groups who have used it to target Indian military and police organizations.
Who's at risk and how to protect yourself
Although researchers discovered about 100 successful attacks using GravityRAT between 2015 and 2018, it appears that most of these have been highly targeted.
For example, defense and police employees in India were tricked into installing a "secure messenger" via Facebook, The Times of India reported.
Kaspersky notes that the exact infected vector is unknown, but targets are likely being directly sent download links to the infected trojans.
What that means in practice is that the average macOS user is likely safe from the RAT. Unless one is a target, security best practices such as avoiding shady links and only downloading apps from trusted app stores is likely enough to mitigate the threat.
11 Comments
I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
Speaking of course on my own systems that I’m using.
Adobe Flash will be the go-to choice for trojans IMHO. After Adobe kills it on 12/31/2020 there will be a deluge of fake Flash downloads and users will fall for it. The Apple Discussion Forums are rife with bitching about how Safari 14 no longer allows Flash. Users are determined to continue to use Flash for their old games and the few websites that still use it. They’ll get killed soon enough.
Best defense for this is the usual one. Keep aware, be informed, and don’t accept downloads that you are not totally certain are legit