An updated version of Android GravityRAT was found to have been distributed via BingeChat and Chatico messaging apps, since August 2022. While the BingeChat campaign is ongoing, the Chatico campaign is no longer active.
While the actors behind GravityRAT remain unknown, ESET researchers attribute the campaign to a group tracked as SpaceCobra. The threat actor is suspected to be based in Pakistan and was associated with attacks targeting military personnel in India.
Campaign overview
According to researchers, the malicious BingeChat app is distributed via"bingechat[.]net" and possibly other domains or distribution channels.
- The app is a trojanized version of OMEMO IM, a legitimate open-source instant messaging app for Android.
- The registration on the malicious app is invite-based, wherein the attackers require victims to enter valid credentials within a specific timeframe.
- Once registration is successful, BingeChat requests permission to access contacts, location, phone, SMS, storage, call logs, camera, and microphone.
How GravityRAT is harmful
- The new GravityRAT spyware exfiltrates backups on WhatsApp, deletes all contacts, and deletes all call logs.
- It steals media and document files in jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, and crypt32 formats.
- The exfiltrated data is stored in text files on external media and exfiltrated to the C2 server before it is removed from victims’ systems.
Conclusion
The return of GravityRAT shows that the operators behind the malware are active and are constantly updating the malware to launch more sophisticated attacks. Moreover, the new features are primarily designed to target mobile device users. Therefore, users must stay vigilant of apps downloaded from an untrusted or third-party source.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3b4a_shutterstock_1628353012.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000073999097_Medium.jpg)
