GravityRAT

GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [1]

ID: S0237
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GravityRAT uses HTTP for C2.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

GravityRAT executes commands remotely on the infected host.[1]

Enterprise T1005 Data from Local System

GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[1]

Enterprise T1025 Data from Removable Media

GravityRAT steals files based on an extension list if a USB drive is connected to the system.[1]

Enterprise T1083 File and Directory Discovery

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[1]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

GravityRAT has been delivered via Word documents using DDE for execution.[1]

Enterprise T1571 Non-Standard Port

GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.[1]

Enterprise T1027 Obfuscated Files or Information

GravityRAT supports file encryption (AES with the key "lolomycin2017").[1]

.005 Indicator Removal from Tools

The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.[1]

Enterprise T1057 Process Discovery

GravityRAT lists the running processes on the system.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GravityRAT creates a scheduled task to ensure it is re-executed everyday.[1]

Enterprise T1082 System Information Discovery

GravityRAT collects the MAC address, computer name, and CPU information.[1]

Enterprise T1016 System Network Configuration Discovery

GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[1]

Enterprise T1049 System Network Connections Discovery

GravityRAT uses the netstat command to find open ports on the victim’s machine.[1]

Enterprise T1033 System Owner/User Discovery

GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[1]

Enterprise T1007 System Service Discovery

GravityRAT has a feature to list the available services on the system.[1]

Enterprise T1124 System Time Discovery

GravityRAT can obtain the date and time of a system.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. [1]

Enterprise T1047 Windows Management Instrumentation

GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).[1]

References