GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [1]

ID: S0237
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1059Command-Line InterfaceGravityRAT executes commands remotely on the infected host.[1]
EnterpriseT1005Data from Local SystemGravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[1]
EnterpriseT1025Data from Removable MediaGravityRAT steals files based on an extension list if a USB drive is connected to the system.[1]
EnterpriseT1173Dynamic Data ExchangeGravityRAT has been delivered via Word documents using DDE for execution.[1]
EnterpriseT1083File and Directory DiscoveryGravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[1]
EnterpriseT1066Indicator Removal from ToolsThe author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.[1]
EnterpriseT1027Obfuscated Files or InformationGravityRAT supports file encryption (AES with the key "lolomycin2017").[1]
EnterpriseT1057Process DiscoveryGravityRAT lists the running processes on the system.[1]
EnterpriseT1053Scheduled TaskGravityRAT creates a scheduled task to ensure it is re-executed everyday.[1]
EnterpriseT1071Standard Application Layer ProtocolGravityRAT uses HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryGravityRAT collects the MAC address, computer name, and CPU information.[1]
EnterpriseT1016System Network Configuration DiscoveryGravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[1]
EnterpriseT1049System Network Connections DiscoveryGravityRAT uses the netstat command to find open ports on the victim’s machine.[1]
EnterpriseT1033System Owner/User DiscoveryGravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[1]
EnterpriseT1007System Service DiscoveryGravityRAT has a feature to list the available services on the system.[1]
EnterpriseT1124System Time DiscoveryGravityRAT can obtain the date and time of a system.[1]
EnterpriseT1065Uncommonly Used PortGravityRAT uses port 46769 for C2.[1]
EnterpriseT1497Virtualization/Sandbox EvasionGravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment.[1]
EnterpriseT1047Windows Management InstrumentationGravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).[1]