GravityRAT evolution

Target: India predominantly

Attack Vector: Backdoor Trojan installs GravityRAT

Summary: In August 2017 the NIC-Cert Team (National Informatics Centre for managing the cyber security incidents) in India released an advisory notice NIC-CERT/2017-08/013 on a then, little known piece of malware called GravityRAT a (Remote Access Tool), which was not known to be specifically targeting any individuals. GravityRAT has been gradually developed four times over the last 18 month period with many more tools added to its arsenal, which include file exfiltration, remote command execution capability and anti-virus avoidance techniques. The constant and determined evolution of this malware beyond the normal standard remote access features indicates that it is now a highly advanced malware and it has been suggested that this is the work of an APT group.

Risk assessment summary: The threat is assessed as 3e MODERATE. If successful, this backdoor Trojan technique installs GravityRAT malware inside infected systems. Due to the advanced persistence and anti-virus avoidance techniques it can be difficult to detect any changes in system behaviours. Therefore the GravityRAT malware can lie undetected and able to steal documents contained in .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf files. GravityRAT also gathers information on system types, network drives, mac addresses, computer names and IP addresses.

The risk is also heightened as the GravityRAT malware is suspected of being used by an APT group in a targeted attack against India and may be expanded or exploited by other actors in future.