GravityRAT Remote Access Trojan
First seen in early 2018, GravityRAT is a RAT and infostealer thought to have been created by an unnamed group affiliated with the Pakistani armed forces. Despite primarily targeting Indian organisations, it has also seen use in attacks against government organisation in Europe.
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
First seen in early 2018, GravityRAT is a RAT and infostealer thought to have been created by an unnamed group affiliated with the Pakistani armed forces. Despite primarily targeting Indian organisations, it has also seen use in attacks against government organisation in Europe.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
GravityRAT is a newly observed remote access trojan. Created in November 2016, it has primarily targeted the Indian financial, engineering and government sectors but has begun to spread Europe in the past few months.
Delivery
It is typically delivered via malicious macro-laden Microsoft Word documents distributed through spam campaigns, although there is evidence that attacks exploiting Word's Dynamic Data Exchange (DDEAUTO) function have also been used.
Activities
Once installed, GravityRAT will attempt to collect the following:
- System information; MAC and IP addresses, time, device name, open ports
- Account information; full and user names, domain name, account type and status.
- CPU information; processor ID, manufacturer and clock speed.
It can also list all running processes or services; and will map all connected local, network or removable drives and exfiltrate files with specific extensions from these. GravityRAT also supports file encryption using AES although at the time of publication there is no evidence this is being used in attacks.
GravityRAT uses a unique anti-analysis technique to determine whether it is being executed in a virtual environment. When first run it will poll the CPU for a number of thermal readings, as most virtual machines do not provide these measurements GravityRAT will terminate itself if it does not receive any readings.
Threat updates
| Date | Update |
|---|---|
| 22 Oct 2020 |
Infecting new platforms
GravityRAT has been updated and is now capable of infecting macOS and Android operating systems. |
Remediation advice
To
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Last edited: 22 October 2020 2:54 pm