Researchers tracking the evolution of the remote access trojan GravityRAT warn that developers behind the malware have made key changes to the RAT’s code in an attempt to decrease antivirus detection.
“We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor,” wrote Cisco Talos researchers Warren Mercer and Paul Rascagneres in a technical write-up posted last week.
For the past 18 months, Cisco Talos researchers said they have been tracking GravityRAT with the latest “G2” version spotted two weeks ago. The location of the developers, known as “The Invincible” and “TheMartian,” are unknown. However, researchers said documents used to test anti-virus detection via VirusTotal were submitted from Pakistan.
In August, the National Computer Emergency Response Team (CERT) of India warned that GravityRAT was being used in targeted attacks against India.
GravityRAT’s infection vector is typical: preying on those gullible enough to click on a Word .Docx email attachment and enable macros. By doing so, email recipients are shown a “Protected Document” that prompts targets to “prove that the user is not a robot” (similar to a CAPTCHA). Doing so triggers the infection sequence.
Stage one includes a renamed version of the Word .Docx file copied to the targeted system’s Temp directory as a ZIP archive. Next, the infection script decompresses the “temporary.zip” file and extracts an .EXE binary stored in it. Lastly, a third step includes creating a scheduled task, named “wordtest,” to execute the malicious file every day.
“With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there’s no download of an additional payload, and finally, the author uses the fact that the .Docx format is an archive in order to include its executable (GravityRAT),” researchers said.
Once infected, GravityRAT targets the system’s basic user data and steals .Docx, .Doc, .PPTx, .PPT, .xlsx, .xls, .Rtf and .PDF files. This latest version of the RAT goes further and collects open ports on the victim’s system, lists all the running processes and steals files on any connected USB drive, researchers said.
The malware dates back December 2016 with early samples given the version name G1 and later G2. The latest GravityRAT, published in December 2017, is GX.
“This version is the most advanced variant of GravityRAT. Throughout the evolution, we saw this malware embedding open-source legitimate .NET libraries (for schedule tasks, compression, encryption, .NET loading). It contains a resource named ‘important.’ This is an archive with a password,” researchers said.
The RAT has been updated with seven anti-AV detection tools that try to determine if the system is running in a virtual machine environment – typically used by AV researchers. Tools include a virtual machine detection function that looks for a VM hypervisor. Another tool makes a Windows Management Instrumentation request to check the BIOS version. “If the response contains: ‘VMware’, ‘Virtual’, ‘XEN’, ‘Xen’ or ‘A M I’ the system is considered as a virtual machine,” according to Cisco Talos.
Malware attacks via malicious Microsoft Office documents may seem crude, but researchers argue they are still extremely effective and inexpensive compared to more sophisticated attacks. Over the years, the malicious document attacks have flourished, ranging from document files that drop the banking trojan Dridex, bots such as Kasidet, and Locky ransomware. Attackers working with the BlackEnergy APT group were also spotted using Word documents to drop payloads on Ukrainian users.
“This actor is probably not the most advanced actor we’ve seen,” Cisco Talos researchers said. The fatal error, they said, was that attackers did not take the time to obfuscate .NET code used in the malware. “The code was largely trivial to reverse engineer, which meant static analysis was an easy option for this piece of malware.”