Cisco Talos - new malware identified
April 2018 by Cisco Talos
Today, Cisco Talos has revealed it has uncovered a new piece of malware - which has remained under the radar for the past two years while it continues to be developed.
Several weeks ago, Talos identified the use of the latest version of this RAT (Remote Access Tool). In this blog post, Talos discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.
Ultimately, GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. They’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.
Throughout their investigation, they observed several malicious documents used to attack victims. These malicious documents were used by the developer to run several tests on the popular analysis platform VirusTotal. Using VirusTotal allowed the developer to make changes in an attempt to decrease antivirus detection.