GravityRAT is a remote access trojan that has been targeting government agencies and military organizations since 2016.
This malware originated as a Windows-only threat but has evolved into a cross-platform tool that can attack Windows, Android, and macOS systems. The malware uses fake apps and tricky emails to spread, making it hard for regular users to spot the danger.
The malware operates by masquerading as legitimate software, such as messaging apps or file-sharing tools. When someone downloads and opens these fake apps, GravityRAT secretly installs itself on their device.
The malware then begins collecting sensitive information, including documents, photos, messages, and WhatsApp backups. This stolen data gets sent to hackers who control the malware from remote servers.
Any.Run analysts identified that GravityRAT uses clever tricks to avoid getting caught by security tools. The malware checks if it is running inside a security testing environment by measuring the computer’s CPU temperature.
Most security testing systems cannot report temperature readings, so the malware knows when it is being analyzed and stops working to hide its true behavior.
The threat mainly targets Indian government workers, military staff, and defense contractors, though it has also attacked educational institutions and businesses.
Between 2016 and 2018, approximately 100 infections were reported among defense and police personnel in India. Recent attacks from 2022 to 2024 indicate that hackers remain active and continue to refine their methods.
Advanced Evasion Techniques
GravityRAT is notable for its ability to evade security systems. The malware performs seven checks to determine whether it is running on a real computer or within a virtual testing environment.
These checks include examining the computer’s BIOS version, searching for evidence of virtualization software, counting the number of CPU cores, and verifying MAC addresses associated with virtual systems.
.webp "GravityRAT with Remote Access Capabilities Attacking Windows, Android, and macOS Systems 3")
The most effective approach is to use Windows Management Instrumentation to check the temperature. The malware queries the MSAcpi_ThermalZoneTemperature entry to get CPU temperature readings.
Popular virtualization platforms such as Hyper-V, VMware Fusion, VirtualBox, KVM, and Xen do not support this feature and therefore return error messages.
When GravityRAT encounters these errors, it detects that it is being tested and shuts down before revealing its malicious code.
This makes it very difficult for security researchers to study the malware using standard tools.
Once the malware confirms that it is on a real system, it creates scheduled tasks to run automatically at system startup. This gives the malware long-term access to the infected device.
On Android devices, GravityRAT disguises itself as applications with names such as “Speak Freely,” “BingeChat,” or “Chatico” that purport to offer secure messaging.
These fake apps collect phone data, including SIM card details, SMS messages, call logs, and files with extensions such as .jpg, .pdf, and .txt.
.webp "GravityRAT with Remote Access Capabilities Attacking Windows, Android, and macOS Systems 4")
The stolen information is packaged into ZIP files and transmitted to command-and-control servers via encrypted HTTPS connections.
The hackers use a tool called GravityAdmin to manage all infected devices from one place, letting them control multiple attack campaigns with codenames like FOXTROT, CLOUDINFINITY, and CHATICO. This organized approach indicates that GravityRAT is operated by skilled groups with clear objectives and resources.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
