GravityRAT Windows malware has new macOS variant

Security researchers have just announced the discovery of Android and macOS variants of GravityRAT, a Windows spyware threat that’s been around since at least 2016.

Background to GravityRAT

GravityRAT is a spyware tool that allows bad actors to access an infected system remotely. It arrives disguised as a legitimate app, but contains malicious components that help the bad guys compromise any user who installs it. The developers of GravityRAT are still unknown, but analysts suspect that Pakistani APT groups are behind the spyware, noting that many of its targets have been members of Indian organizations (including military organizations). The earliest versions of the malware were designed to attack Windows platforms only, with Android-specific variants being introduced in 2018.

What’s new?

This week, security researchers at Kaspersky published an analysis of several malware samples that they’ve been examining for some time now.

These malware samples bear similarities to previously documented versions of GravityRat, including shared Command and Control (C&C) servers and similar malicious components. According to the researchers, the malware itself hasn’t changed all that much, with one important exception: “The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS”.

What can GravityRAT do?

GravityRAT is spyware, and so its main function is to collect and exfiltrate data from an infected device.

GravityRAT’s various modules can perform a number of different malicious activities: gathering system information and information about running processes; searching for specific file types and uploading them to a remote server; logging keystrokes and taking screenshots; accessing contact and messaging data; and executing commands on an infected system.

How can I stay safe?

At the moment, GravityRAT appears to be targeted at users in the APAC region. However, it is under active development and its creators are clearly attempting to extend its functionality (including the ability to infect macOS systems). It would therefore be prudent for all users to take the malware seriously as a potential threat, and to understand how it is spread — as well as how to avoid infection.

In the past, the bad actors behind GravityRAT would often distribute their spyware by sending links to malicious apps directly to their targets. For macOS users, this is something of a “silver lining”, in that they can protect themselves by following a few app safety best practices

1. 1

   Only download apps from the Mac App Store or from the official website of an app developer you know and trust.

2. 2

   Never attempt to install “cracked” (pirated) macOS apps, as this is a frequent infection vector for macOS malware. If you’re on a budget but really need the functionality provided by a paid app, look into open-source alternatives instead.

3. 3

   Pay attention to the security notifications provided by macOS. If your Mac tells you that it can’t verify an app’s developer or check an app for malicious software, it’s generally best not to launch it.

4. 4

   Be wary of any links and attachments that come from unknown senders. General rule: If you don’t know where it came from, assume that it could be malicious.

5. 5

   If you’re unsure of how to handle a file, or don’t know whether or not it’s safe to open, ask for help.