GravityRAT

GravityRAT is a notorious Trojan malware that has been used in various cyberattacks, including those targeting military systems. Initially designed for Windows, it has evolved over time to target Android devices as well. The malware uses stolen developer certificates to bypass security measures such as Gatekeeper and tricks users into installing what appears to be legitimate software. Once installed, GravityRAT can upload Office files, take automatic screenshots, record keyboard logs, and even check the CPU temperature of the infected system. This latter capability was previously identified by security researchers at Talos, who noted that while this technique primarily detects virtual machines, some physical systems were also mistakenly identified as virtual due to their lack of support for the WMI query. In recent years, GravityRAT has continued to evolve and expand its reach. In 2019, the group behind GravityRAT developed the HeavyLift malware loader and Android versions of the Trojan for targeting mobile devices. More recently, the spyware has been linked to attacks on entities like the European Investment Bank and UPS Canada, and a California pensioners' fund. It's also been spread through a new Android malware campaign. The malware often masquerades as a legitimate Android application download link, effectively tricking users into installing it. The latest development in the GravityRAT saga involves its use to exfiltrate victims' WhatsApp backups. In June, ESET researchers revealed that an updated version of the Android GravityRAT spyware was being spread through free messaging apps called BingeChat and Chatico. The intention behind this activity appears to be data collection for later analysis. Despite the extensive tracking and research into GravityRAT, the threat actor behind it remains unknown, although ESET researchers internally refer to the group as SpaceCobra.