Users can follow the Channels of their preference, and creators can easily reach out to an unlimited number of followers through broadcast messages. GravityRAT removes files with particular extensions from the device, and deletes all user call logs and the contact list.People can make their own Channels to distribute content. GravityRAT uses HTTPS to communicate with its C&C server. GravityRAT exfiltrates files from the device.Īpplication Layer Protocol: Web Protocols GravityRAT extracts information about the device, including SIM serial number, device ID, and common system information. GravityRAT extracts the IMEI, IMSI, IP address, phone number, and country. GravityRAT lists available files on external storage. GravityRAT removes local files that contain sensitive information exfiltrated from the device. GravityRAT functionality is triggered if one of these events occurs: GravityRAT receives the BOOT_COMPLETED broadcast intent to activate at device startup.Įvent Triggered Execution: Broadcast Receivers This table was built using version 13 of the MITRE ATT&CK framework. storage/emulated/0/bc/location.log MITRE ATT&CK techniques IoCs Files SHA-1ĭata is staged for exfiltration in the following places: In any case, we believe the campaign is highly targeted. The BingeChat version is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. The group behind the malware uses legitimate OMEMO IM code to provide the chat functionality for the malicious messaging apps BingeChat and Chatico.Īccording to ESET telemetry, a user in India was targeted by the updated Chatico version of the RAT, similar to previously documented SpaceCobra campaigns. Just as before, this campaign employs messaging apps as a cover to distribute the GravityRAT backdoor. Known to have been active since at least 2015, SpaceCobra has resuscitated GravityRAT to include expanded functionalities to exfiltrate WhatsApp Messenger backups and receive commands from a C&C server to delete files. Victim data exfiltration to C&C server Conclusion Based on this comparison, we can state with high confidence that the malicious code in BingeChat belongs to the GravityRAT malware familyįigure 12. In Figure 6, you can see a comparison of malicious classes between the GravityRAT sample analyzed by Cyble and the new sample contained in BingeChat. In 2021, Cyble published an analysis of another GravityRAT campaign that exhibited the same patterns as BingeChat, such as a similar distribution vector for the trojan masquerading as a legit chat app, which in this case was SoSafe Chat, the use of the open-source OMEMO IM code, and the same malicious functionality. Typical malicious functionality for GravityRAT is associated with a specific piece of code that, in 2020, was attributed by Kaspersky to a group that uses Windows variants of GravityRAT We track the group internally under the name SpaceCobra, and attribute both the BingeChat and Chatico campaigns to this group. The group behind the malware remains unknown, even though Facebook researchers attribute GravityRAT to a group based in Pakistan, as also previously speculated by Cisco Talos. The domains for both the website and C&C server are now offline.įrom here on out, we will only focus on the active campaign using the BingeChat app, which has the same malicious functionality as Chatico. Chatico was most likely distributed through the uk website and also communicated with a C&C server. Like BingeChat, Chatico is based on the OMEMO Instant Messenger app and trojanized with GravityRAT. The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.įigure 6. Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. BingeChat is distributed through a website advertising free messaging services. Most likely active since August 2022, the BingeChat campaign is still ongoing however, the campaign using Chatico is no longer active. The actor behind GravityRAT remains unknown we track the group internally as SpaceCobra. Windows, Android, and macOS versions are available, as previously documented by Cisco Talos, Kaspersky, and Cyble. GravityRAT is a remote access tool known to be used since at least 2015 and previously used in targeted attacks against India. ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete filesĮSET researchers have identified an updated version of Android GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |