The rat is so evasive that it scrams into hiding if the CPU temperature rises due to increased anti-malware scanning!

In 2018, an overview into the developments of GravityRAT was published by cybersecurity researchers.

The Gravity remote access tool (RAT) allegedly designed by Pakistani advanced persistent threat hackers—has been used since 2015 in targeted attacks against Indian military services, being mainly focused on Windows operating systems but subsequently with Android targeted as well.

Recently, the spyware rat was inserted into a travel application for users in India but the identified module did not look like a typical piece of Android spyware. For instance, a specific application has to be selected to carry out malicious purposes, and the malicious code was not based on the code of previously-known spyware applications.

This development subsequently motivated researchers at Kaspersky to compare the module with already known APT families. Analysis of the command and control addresses used revealed several additional malicious modules, also related to the actor behind GravityRAT.

Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that purportedly help protect users’ devices from encrypting Trojans, or media players. In totality, these modules, when used together, have enabled the group to tap into not just Windows OS, but also Android and IOS platforms.

Do you smell more RATs?

Tatyana Shishkova, a Kaspersky security expert, commented: “Our investigations indicated that the actor behind GravityRAT is continuing to invest in its spying capacities. Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead in an attempt to be as successful as possible.”

Further investigation confirmed that the group behind the malware invested effort into making a multiplatform tool. In addition to targeting Windows operating systems, it can now be used on Android and devices by Apple.

The campaign is still active.