GravityRAT

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
GravityRAT is a notorious Trojan malware that has been in use since at least 2015, notably involved in targeted attacks against India and the military. It uses stolen developer certificates to bypass security measures like Gatekeeper, deceiving users into installing what appears to be legitimate software. Once installed, the GravityRAT Trojan exhibits capabilities such as uploading Office files, taking automatic screenshots, and recording keyboard logs. This malware can also perform CPU temperature checks to detect virtual machines, a technique previously discussed by security researchers at Talos. In recent developments, GravityRAT has been implicated in a series of cyberattacks across various sectors. In one week, it was used in an attack on the European Investment Bank, related to a cyberattack on a California pensioners' fund, associated with a data breach at UPS Canada, and spotted in a new Android malware campaign. The updated version of this spyware has been found to target WhatsApp backups, potentially compromising sensitive personal information. This new campaign employs free messaging apps like BingeChat and Chatico to spread the malware. The threat actor behind GravityRAT remains unidentified, but ESET researchers internally refer to the group as SpaceCobra. They have revealed how the updated Android GravityRAT spyware is being disseminated and used to exfiltrate victims' WhatsApp backups among other malicious actions. Despite ongoing efforts by cybersecurity experts, GravityRAT continues to evolve and pose a significant threat to both individual and organizational cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Spacecobra
3
SpaceCobra is a malicious actor known for its deployment of malware, notably the GravityRAT and Chatico campaigns. Active since at least 2015, SpaceCobra has continually evolved its tactics, enhancing the functionality of GravityRAT to exfiltrate WhatsApp Messenger backups and receive commands from
Bingechat
3
BingeChat is a malware that has been active since August 2022, distributed under the guise of the messaging apps BingeChat and Chatico. The malicious software was first identified in June 2022 as an updated version of an Android remote access trojan known as GravityRAT, which was found to be masquer
Chatico
2
Chatico is a malicious software (malware) that was discovered in 2022 to be based on the OMEMO Instant Messenger app, similar to another malware known as BingeChat. It was found to have been trojanized with an updated version of Android remote access trojan (RAT) called GravityRAT. The malware was d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Whatsapp
Spyware
Malware
Trojan
Macos
Windows
Eset
Facebook
India
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Android GravityratUnspecified
4
Android GravityRAT is a malicious software (malware) that targets Android devices, with the ability to exploit and damage systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt opera
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the GravityRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
GravityRAT - The Two-Year Evolution Of An APT Targeting India
ESET
a year ago
Android GravityRAT goes after WhatsApp backups | WeLiveSecurity
Securityaffairs
a year ago
Updated Android spyware GravityRAT steals WhatsApp Backups
CERT-EU
a year ago
Warning: GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files
CERT-EU
a year ago
Meta Cracks Down on South Asian Cyberespionage Groups
CERT-EU
a year ago
安全事件周报 2023-06-12 第24周 - 360CERT
BankInfoSecurity
a year ago
Breach Roundup: European Investment Bank Suffers Cyberattack
CERT-EU
10 months ago
All the Mac malware we know about
MITRE
a year ago
OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
ESET
a year ago
Is a RAT stealing your files? – Week in security with Tony Anscombe | WeLiveSecurity
ESET
8 months ago
WeLiveSecurity
CERT-EU
a year ago
Android GravityRAT Spyware Steals WhatsApp Backup Files | IT Security News
InfoSecurity-magazine
a year ago
New Version of Android GravityRAT Spyware Targets WhatsApp Backups
CERT-EU
a year ago
Android GravityRAT Spyware Steals WhatsApp Backup Files
CERT-EU
a year ago
In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act
CERT-EU
a year ago
Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Сервисы Meta используются для шпионажа за пользователями из Южной Азии
CERT-EU
a year ago
Meta: Social media leveraged in widespread cyberespionage operations
CERT-EU
a year ago
In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Checkpoint
a year ago
19th June – Threat Intelligence Report - Check Point Research