Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
GravityRAT: The spy returns
GravityRAT: The spy returns
harlan4096 Online
MalWare Zoo Team
*******
Posts: 16,435
Threads: 10,375
Thanks Received: 9,385 in 7,531 posts
Thanks Given: 10,373
Joined: 12 September 18
#1
Bug  20 October 20, 07:41
Quote:
[Image: image3-1.png]

In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its creators are believed to be Pakistani hacker groups. According to our information, the campaign has been active since at least 2015, and previously targeted Windows machines. However, it underwent changes in 2018, with Android devices being added to the list of targets.

Malicious guide

In 2019, on VirusTotal, we encountered a curious piece of Android spyware which, when analyzed, seemed connected to GravityRAT. The cybercriminals had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The attackers used a version of the app published on Github in October 2018, adding malicious code and changing the name to Travel Mate Pro.The spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text logs to the C&C server. In addition, the Trojan searches for files in the device memory and on connected media with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus, and sends these to C&C as well.

The malware does not resemble a “typical” Android spy in that the choice of app is rather specific and the malicious code is not based on that of any known spyware app, as is often the case. As such, we decided to look for connections with known APT families.

The simplest thing to do is to check the C&C addresses used by the Trojan:
  • nortonupdates[.]online:64443
  • nortonupdates[.]online:64443
As it turned out, n3.nortonupdates[.]online:64443 was used by another piece of malware to download data about files found on the computer (.doc, .ppt, .pdf, .xls, .docx, .pptx, .xlsx) together with data about the infected machine. With the aid of Threat Intelligence, we found this malware: a malicious PowerShell script called Enigma.ps1 that executes C# code.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
QOwnNotes
26.6.2 Fixed cust...Kool — 12:18
Mozilla Firefox Browser 151.0.3
Mozilla Firefox Br...harlan4096 — 12:05
Intel lists Xe3p GPU architecture for “N...
Xe3P also listed f...harlan4096 — 06:18
NVIDIA announced RTX Spark chip for Wind...
NVIDIA confirms RT...harlan4096 — 06:17
AMD News - COMPUTEX 2026
AMD details Fidelity...harlan4096 — 06:16

[-]
Birthdays
Today's Birthdays
avatar (51)nteriageda
Upcoming Birthdays
avatar (42)tapedDow
avatar (48)BrantgoG
avatar (50)eapedDow
avatar (47)Carlosskake
avatar (49)rapedDow
avatar (44)Johnsonsyday
avatar (49)Groktus
avatar (41)efodo
avatar (39)Tedscolo
avatar (46)brakasig
avatar (51)smudloquask
avatar (46)benchJem
avatar (45)JamesReshy
avatar (47)Francisemefe
avatar (40)leoniDup
avatar (39)Patrizaancem
avatar (39)biobdam
avatar (42)zacforat
avatar (47)NemrokReks
avatar (50)Jasoncedia
avatar (38)Barrackleve
avatar (40)Julioagopy
avatar (50)aolaupitt2558
avatar (48)vadimTob
avatar (38)leannauu4
avatar (40)storoBox
avatar (48)kinotHeemn
avatar (39)Ceballos1976
avatar (40)efynu
avatar (32)horancos

[-]
Online Staff
There are no staff members currently online.

>