ISLAMABAD – GravityRAT, a malware allegedly designed by Pakistani hackers,has recently been updated further and equipped with anti-malware evasioncapabilites, Maharashtra cybercrime officials said.
The RAT was first detected by Indian Computer Emergency Response Team,CERT-In, on various computers in 2017. It is designed to infliltratecomputers and steal the data of users, and relay the stolen data to Commandand Control centres in other countries. The ‘RAT’ in its name stands forRemote Access Trojan, which is a program capable of being controlledremotely and thus difficult to trace.
Mask presence
Maharashtra cybercrime department officials said that the latest update tothe program by its developers is part of GravityRAT’s function as anAdvanced Persistent Threat (APT), which, once it infiltrates a system,silently evolves and does long-term damage.
“GravityRAT is unlike most malware, which are designed to inflict shortterm damage. It lies hidden in the system that it takes over and keepspenetrating deeper. According to latest inputs, GravityRAT has now becomeself aware and is capable of evading several commonly used malwaredetection techniques,” an officer of the cybercrime unit said.
One such technique is ‘sandboxing’, to isolate malware from criticalprograms on infected devices and provide an extra layer of security.
“The problem, however, is that malware needs to be detected before it canbe sandboxed, and GravityRAT now has the ability to mask its presence.Typically, malware activity is detected by the ‘noise’ it causes inside theCentral Processing Unit, but GravityRAT is able to work silently. It canalso gauge the temperature of the CPU and ascertain if the device iscarrying out high intensity activity, like a malware search, and act toevade detection,” another officer said.
email attachment
Officials said that GravityRAT infiltrates a system in the form of aninnocuous looking email attachment, which can be in any format, includingMS Word, MS Excel, MS Powerpoint, Adobe Acrobat or even audio and videofiles.
“The hackers first identify the interests of their targets and then sendemails with suitable attachments. Thus a document with ‘share prices’ inthe file is sent to those interested in the stock market. Once it isdownloaded, it prompts the user to enter a message in a dialogue box,purportedly to prove that the user is not a bot. While the users take thisto be a sign of extra security, the action actually initiates the processfor the malware to infiltrate the system, triggering several steps that endwith GravityRAT sending data to the Command and Control server regularly,”an officer said.
The other concern is that the Command and Control servers are based inseveral countries. The data is sent in an encrypted format, making itdifficult to detect exactly what is leaked.
Special Inspector General of Police (Cyber) Brijesh Singh of MaharashtraPolice said, “We urge people to follow basic cyberhygiene like watchingwhat they download, updating their anti-virus software and conducting cybersecurity reviews regularly.” CERT-In had issued an alert for it last year,with an advisory asking users to review cybersecurity measures and updateanti-malware tools.