Malware comes in all shapes and sizes. Some strains copy and encrypt files. Others serve annoying ads.
Still others work quietly in the background, mining this or that cryptocurrency using your computer’s processing power to do it.
GravityRAT is a different sort of creature. It has been actively developed since at least 2015 by Pakistani hacker groups, and has been used primarily against military installations in India. As such, it’s not the sort of malware your IT staff is likely to have a face to face encounter with unless you’re doing contract work with the Indian military. It is interesting, however, and worth taking a closer look at.
GravityRAT was designed primarily to check the CPU temperature of Windows-based machines, and to detect the presence of sandboxes or virtual machines so that its controllers would know what type of environment they were operating in.
Recently though, security researchers at Kaspersky Lab discovered new strains of GravityRAT that are designed to work on both Android and Apple devices. The GravityRAT development team has also been quietly updating the capabilities of their malicious code.
As of the latest build, in addition to the two things above, the malware can:
- Generate a list of running process
- Log keystrokes
- Get basic system information
- Take screenshots at predefined intervals
- Scan ports
- Conduct searchers for certain file extensions
- Execute arbitrary shell commands
Out of all these, it is the last one that makes GravityRAT genuinely dangerous, as there are any number of exploits the hackers could use here. Clearly, the team is building toward a specific goal, but so far, we can only guess at what that goal might be.
In any case, the latest build of GravityRAT is much more robust than anything that’s come before it, and it’s a good bet that the team is getting close to whatever finish line they have set for themselves. After that, there’s no telling what they might use their new tool for.
