GravityRAT

December 21, 2023 · View on GitHub

ID	X0032
Type	Remote Access Trojan
Aliases	None
Platforms	Windows
Year	2018
Associated ATT&CK Software	GravityRAT

GravityRAT

GravityRAT evades detection by checking current CPU temperature.

ATT&CK Techniques

Name	Use
Discovery::Account Discovery (T1087)	GravityRAT gets session user name. [4]

See ATT&CK: GravityRAT - Techniques Used.

Enhanced ATT&CK Techniques

Name	Use
Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls (F0015.006)	GravityRAT abuses Microsoft's Dynamic Data Exchange (DDE) protocol. [2]
Discovery::File and Directory Discovery (E1083)	GravityRAT enumerates files on Windows. [4]

MBC Behaviors

Name	Use
Anti-Behavioral Analysis::Virtual Machine Detection (B0009)	The malware checks the system temperature by recording thermal readings for detecting VMs. Heat levels indicate whether the system is a VM. [1]
Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS (B0009.024)	The malware creates a WMI request to identify the BIOS version. [1]
Cryptography::Encrypt Data::AES (C0027.001)	GravityRAT v3 supports AES file encryption. [2]
Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check (B0009.023)	The malware checks if the manufacturer field in the Win32_Computer entry (in WMI) contains "Virtual", "Vmware", or "Virtualbox." [2]
Anti-Behavioral Analysis::Virtual Machine Detection::Modern Specs Check - Processor count (B0009.018)	GravityRAT determines the machine to be a VM if the core count is 1. [2]
Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address (B0009.028)	GravityRAT checks if the MAC address starts with a well-known hexadecimal number used by various VM developer. [2]
Command And Control::C2 Communication::Receive Data (B0030.002)	GravityRAT receives data. [4]
File System::Create Directory (C0046)	GravityRAT creates directories. [4]
File System::Delete File (C0047)	GravityRAT deletes files. [4]
File System::Read File (C0051)	GravityRAT reads files on Windows. [4]
File System::Write File (C0052)	GravityRAT writes files on Windows. [4]
Process::Suspend Thread (C0055)	GravityRAT suspends threads. [4]
Process::Terminate Process (C0018)	GravityRAT terminates processes. [4]

Indicators of Compromise

SHA256 Hashes

c39270febb9097def21777c994d10738ba2a915c88f516fb1e896e5d7240cc0d
71264d9c67800d3bedc6facb6915e855f7531c12445af58f47167e81c735c892
99dd67915566c0951b78d323bb066eb5b130cc7ebd6355ec0338469876503f90

References

[1] https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/

[2] https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

[3] https://securelist.com/gravityrat-the-spy-returns/99097/

[4] capa v4.0, analyzed at MITRE on 10/12/2022