GravityRAT

Malware Profile Updated a month ago

Download STIX

Preview STIX

GravityRAT is a notorious Trojan malware that has been used in various cyberattacks, including those targeting military systems. Initially designed for Windows, it has evolved over time to target Android devices as well. The malware uses stolen developer certificates to bypass security measures such as Gatekeeper and tricks users into installing what appears to be legitimate software. Once installed, GravityRAT can upload Office files, take automatic screenshots, record keyboard logs, and even check the CPU temperature of the infected system. This latter capability was previously identified by security researchers at Talos, who noted that while this technique primarily detects virtual machines, some physical systems were also mistakenly identified as virtual due to their lack of support for the WMI query. In recent years, GravityRAT has continued to evolve and expand its reach. In 2019, the group behind GravityRAT developed the HeavyLift malware loader and Android versions of the Trojan for targeting mobile devices. More recently, the spyware has been linked to attacks on entities like the European Investment Bank and UPS Canada, and a California pensioners' fund. It's also been spread through a new Android malware campaign. The malware often masquerades as a legitimate Android application download link, effectively tricking users into installing it. The latest development in the GravityRAT saga involves its use to exfiltrate victims' WhatsApp backups. In June, ESET researchers revealed that an updated version of the Android GravityRAT spyware was being spread through free messaging apps called BingeChat and Chatico. The intention behind this activity appears to be data collection for later analysis. Despite the extensive tracking and research into GravityRAT, the threat actor behind it remains unknown, although ESET researchers internally refer to the group as SpaceCobra.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Spacecobra	3	SpaceCobra is a malware group known for its malicious software activities, which have been ongoing since at least 2015. The group is linked to the BingeChat and Chatico campaigns and has revived the GravityRAT malware with enhanced functionalities. This updated version of GravityRAT allows SpaceCobr
Bingechat	3	BingeChat is a malware that has been active since August 2022, distributed under the guise of the messaging apps BingeChat and Chatico. The malicious software was first identified in June 2022 as an updated version of an Android remote access trojan known as GravityRAT, which was found to be masquer
Chatico	2	Chatico is a malicious software (malware) that was discovered to be part of a targeted cyber threat campaign since June 2022. The malware, based on the OMEMO Instant Messenger app, was trojanized with GravityRAT, a notorious Android remote access trojan. The group behind this threat employed a fraud

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

Malware

Windows

Trojan

Spyware

Macos

India

Facebook

Eset

Moveit

Decoy

Payload

Loader

Apt

Gbhackers

Malware Loader

Backdoor

Github

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Android Gravityrat	Unspecified	5	Android GravityRAT is a malicious software (malware) known for its ability to infiltrate and damage systems. ESET researchers have identified an updated version of this malware being distributed through the messaging apps BingeChat and Chatico, as well as trojanized versions of the legitimate open-s
android/spy.gravity.a Gravityrat	Unspecified	1	None

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Cosmic Leopard	Unspecified	1	"Cosmic Leopard" is a threat actor identified by Cisco Talos, which has been targeting Indian officials with Trojans since 2016. The group began operations using GravityRAT, a type of malware first identified by Talos in 2018. Cosmic Leopard's primary tools include Windows and Android malware called
Bahamut	Unspecified	1	Bahamut is a threat actor group known for its sophisticated cyber-espionage operations, targeting primarily South Asia. Meta's Adversarial Threat Report from the first quarter of 2023 identified Bahamut as one of three major groups involved in cyber espionage operations in the region, alongside Patc
Bahamut Apt	Unspecified	1	The Bahamut Advanced Persistent Threat (APT) group, a threat actor known for its malicious activities, is currently conducting an active campaign targeting Android users. This mobile campaign uses the same method of distributing Android spyware apps via websites that impersonate legitimate services,

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the GravityRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	a month ago	Pakistan's 'Cosmic Leopard' Is Targeting India With RATs
DARKReading	a month ago	Pakistani APT 'Celestial Force' Spies on Indian Gov't, Defense Orgs
ESET	10 months ago	WeLiveSecurity
CERT-EU	10 months ago	Israel investigates potential breach of lawmakers’ phones
CERT-EU	a year ago	All the Mac malware we know about
CERT-EU	a year ago	Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	a year ago	Breach Roundup: European Investment Bank Suffers Cyberattack
CERT-EU	a year ago	安全事件周报 2023-06-12 第24周 - 360CERT
Checkpoint	a year ago	19th June – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Android GravityRAT Spyware Steals WhatsApp Backup Files
CERT-EU	a year ago	Android GravityRAT Spyware Steals WhatsApp Backup Files \| IT Security News
ESET	a year ago	Is a RAT stealing your files? – Week in security with Tony Anscombe \| WeLiveSecurity
CERT-EU	a year ago	In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act
Securityaffairs	a year ago	Updated Android spyware GravityRAT steals WhatsApp Backups
InfoSecurity-magazine	a year ago	New Version of Android GravityRAT Spyware Targets WhatsApp Backups
ESET	a year ago	Android GravityRAT goes after WhatsApp backups \| WeLiveSecurity
CERT-EU	a year ago	Warning: GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files
MITRE	a year ago	GravityRAT - The Two-Year Evolution Of An APT Targeting India
MITRE	a year ago	OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE