GravityRAT
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).[1] |
|
| Enterprise | T1025 | 从可移动介质获取数据 |
GravityRAT steals files based on an extension list if a USB drive is connected to the system.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
GravityRAT executes commands remotely on the infected host.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
GravityRAT uses HTTP for C2.[1] |
| Enterprise | T1083 | 文件和目录发现 |
GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[1] |
|
| Enterprise | T1027 | .005 | 混淆文件或信息: Indicator Removal from Tools |
The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
GravityRAT supports file encryption (AES with the key "lolomycin2017").[1] |
||
| Enterprise | T1082 | 系统信息发现 |
GravityRAT collects the MAC address, computer name, and CPU information.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[1] |
|
| Enterprise | T1124 | 系统时间发现 |
GravityRAT can obtain the date and time of a system.[1] |
|
| Enterprise | T1007 | 系统服务发现 |
GravityRAT has a feature to list the available services on the system.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
GravityRAT uses the |
|
| Enterprise | T1016 | 系统网络配置发现 |
GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. [1] |
| Enterprise | T1057 | 进程发现 |
GravityRAT lists the running processes on the system.[1] |
|
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange |
GravityRAT has been delivered via Word documents using DDE for execution.[1] |
| Enterprise | T1571 | 非标准端口 |
GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
GravityRAT creates a scheduled task to ensure it is re-executed everyday.[1] |