'GravityRAT' Windows spyware modified to infect macOS, Android

Posted:
in General Discussion
A strain of malware called GravityRAT, known for spying on Windows machines, has been adapted to infect both Android and macOS devices, according to a new report.

Credit: Malcolm Owen, AppleInsider
Credit: Malcolm Owen, AppleInsider


Although most remote access trojans (RAT) target Windows devices, ones that affect Macs have surfaced from time to time. In the case of GravityRAT, it appears that the group responsible for the malware have introduced support for both the macOS and Android operating systems.

Security researchers at Kaspersky have discovered an updated strain of GravityRAT while analyzing an Android spyware app. During the analysis, the researchers identified a server used by two other malicious apps targeting Windows and macOS.

"Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users' devices from encrypting Trojans, or media players," the researchers wrote.

GravityRAT is spyware known for checking the CPU temperature of computers in an effort to detect running virtual machines. Malicious code dropped by the RAT can be used to perform a range of cyber espionage, however.

According to Kaspersky, the trojan can allow attackers to send commands that get information about a system; search for files on a machine; intercept keystrokes; take screenshots; execute arbitrary shell commands; and get a list of running processes.

The researchers found apps written in Python, Electron, and .NET that will download GravityRAT payloads from a command and control server. From there, the malware adds scheduled tasks to gain persistence. Oftentimes, the malicious apps are clones of legitimate ones.

It's unclear who exactly developed and maintains the GravityRAT malware, though it's largely thought to be tied to Pakistani hacker groups who have used it to target Indian military and police organizations.

Who's at risk and how to protect yourself

Although researchers discovered about 100 successful attacks using GravityRAT between 2015 and 2018, it appears that most of these have been highly targeted.

For example, defense and police employees in India were tricked into installing a "secure messenger" via Facebook, The Times of India reported.

Kaspersky notes that the exact infected vector is unknown, but targets are likely being directly sent download links to the infected trojans.

What that means in practice is that the average macOS user is likely safe from the RAT. Unless one is a target, security best practices such as avoiding shady links and only downloading apps from trusted app stores is likely enough to mitigate the threat.

Comments

  • Reply 1 of 11
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    watto_cobra
  • Reply 2 of 11
    lkrupplkrupp Posts: 9,315member
    Adobe Flash will be the go-to choice for trojans IMHO. After Adobe kills it on 12/31/2020 there will be a deluge of fake Flash downloads and users will fall for it. The Apple Discussion Forums are rife with bitching about how Safari 14 no longer allows Flash. Users are determined to continue to use Flash for their old games and the few websites that still use it. They’ll get killed soon enough.

    Best defense for this is the usual one. Keep aware, be informed, and don’t accept downloads that you are not totally certain are legit
    edited October 2020 watto_cobra
  • Reply 3 of 11
    Rayz2016Rayz2016 Posts: 6,834member
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    If you’re using Kaspersky then I’m not sure “safe” is the word I’d use. 
    MacProlam92103thtMplsPjdb8167beowulfschmidtwatto_cobra
  • Reply 4 of 11
    Rayz2016 said:
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    If you’re using Kaspersky then I’m not sure “safe” is the word I’d use. 
    Can you explain why please?
  • Reply 5 of 11
    MacProMacPro Posts: 19,341member
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    Yep, the Kremlin will call you and let you know when Kaspersky reports in.
    watto_cobra
  • Reply 6 of 11
    MacProMacPro Posts: 19,341member

    Rayz2016 said:
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    If you’re using Kaspersky then I’m not sure “safe” is the word I’d use. 
    Can you explain why please?
    Read the history of the company. The real history not the one Kaspersky has modified.
    DontmentionthewarMplsPwatto_cobra
  • Reply 7 of 11
    MplsPMplsP Posts: 3,160member
    lkrupp said:
    Adobe Flash will be the go-to choice for trojans IMHO. After Adobe kills it on 12/31/2020 there will be a deluge of fake Flash downloads and users will fall for it. The Apple Discussion Forums are rife with bitching about how Safari 14 no longer allows Flash. Users are determined to continue to use Flash for their old games and the few websites that still use it. They’ll get killed soon enough.

    Best defense for this is the usual one. Keep aware, be informed, and don’t accept downloads that you are not totally certain are legit
    We have use scheduling software at work and they were using Flash up until a week and a half ago. They had a non-flash version, but it had minimal functionality so you were forced to use the flash site. Even now, the web site doesn't have all the functionality that the flash version did. I imagine there are other companies out there that have been equally lazy and procrastinated with bringing their sites up to date.

    Unfortunately, the days of not needing anti virus/malware software for Macs are long gone. I've been using Sophos for several years now. Never had an issue that I know of but it's caught a bunch of stuff on my son's PC.
    watto_cobra
  • Reply 8 of 11
    BeatsBeats Posts: 2,444member
    Apple should not be used in the same sentence as Windows and iKnockoffs.

    Apple get your sh** together!!!
  • Reply 9 of 11
    lkrupp said:
    Adobe Flash will be the go-to choice for trojans IMHO. After Adobe kills it on 12/31/2020 there will be a deluge of fake Flash downloads and users will fall for it. The Apple Discussion Forums are rife with bitching about how Safari 14 no longer allows Flash. Users are determined to continue to use Flash for their old games and the few websites that still use it. They’ll get killed soon enough.

    Best defense for this is the usual one. Keep aware, be informed, and don’t accept downloads that you are not totally certain are legit
    The Flash Install Manager will now prompt with an Uninstall message. Just make sure to quit your browsers before continuing or it will likely fail "cancelled".
    watto_cobra
  • Reply 10 of 11
    Rayz2016 said:
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    If you’re using Kaspersky then I’m not sure “safe” is the word I’d use. 
    Can you explain why please?
    It's a Russian company. Would you use Chinese or North Korean security software? I wouldn't.

    Company Headquarters: Moscow, Russia
    edited October 2020 watto_cobra
  • Reply 11 of 11

    Rayz2016 said:
    I’m using Kaspersky (complete protection 2020)as standard protection on all my macs, better safe than sorry :-) the performance impact is minimal.
    Speaking of course on my own systems that I’m using.
    If you’re using Kaspersky then I’m not sure “safe” is the word I’d use. 
    Can you explain why please?

    Kaspersky bans and allegations of Russian government ties

     https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations_of_Russian_government_ties
    watto_cobra
Sign In or Register to comment.