Pulse Detail — Threat Intelligence

PULSE NAME

GravityRAT: The spy returns

WHITE AlienVault 2020-10-19 Modified: 2020-10-19

IOCs

HIGH VOLUME

In 2018, GravityRAT added Android devices to its list of targeted platforms. In 2019, on VirusTotal, Kaspersky Labs encountered a curious piece of Android spyware which, when analyzed, seemed connected to GravityRAT. The cybercriminals had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1025 T1053.003 T1412 T1417 T1420 T1432 T1433 T1437 T1444 T1533 T1553.002

MALWARE FAMILIES

GravityRAT - S0237 Trojan.Win32.GravityRAT Trojan-Spy.Win32.GravityRAT Trojan-Spy.AndroidOS.Gravity Trojan-Spy.OSX.GravityRAT

Indicators of Compromise (80)

All FileHash-SHA256 URL FileHash-MD5 FileHash-SHA1 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	1060ab3241b3e62e89f5f4bae80664ad895b7c35f5a516bf2f83629c501e8d62	SHA256 of 285e6ae12e1c13df3c5d33be2721f5cd	2020-10-19
FileHash-SHA256	44bd4a5f338322e35e08dc666694da6fba56ec2c916de37cd69b51ef52fa4af3	SHA256 of 78506a097d96c630b505bd3d8fa92363	2020-10-19
FileHash-SHA256	5bb50eb2eea26890819e5de23660990e18389b6dc5e0f5cbbae8ae59585c9885	SHA256 of e202b3bbb88b1d32dd034e6c307ceb99	2020-10-19
URL	http://windowsupdates.eu:46769	—	2020-10-19
URL	http://download.enigma.net.in/90954349.php	—	2020-10-19
URL	http://nortonupdates.online:64443	—	2020-10-19
URL	http://msoftserver.eu:64443	—	2020-10-19
URL	http://download.savitabhabi.co.in/A5739ED5.php.	—	2020-10-19
URL	http://mozillaupdates.com:46769	—	2020-10-19
URL	http://n3.nortonupdates.online:64443	—	2020-10-19
FileHash-MD5	df1bf7d30a502e6388e2566ada4fe9c8	—	2020-10-19
FileHash-MD5	cceca8bca9874569e398d5dc8716123c	—	2020-10-19
FileHash-MD5	c0df894f72fd560c94089f17d45c0d88	—	2020-10-19
FileHash-MD5	092e4e29e784341785c8ed95023fb5ac	—	2020-10-19
FileHash-MD5	f8da7aaefce3134970d542b0e4e34f7b	—	2020-10-19
FileHash-MD5	6689ecf015e036ccf142415dd5e42385	—	2020-10-19
FileHash-MD5	30026aff23b83a69ebfe5b06c3e5e3fd	—	2020-10-19
FileHash-MD5	86c865a0f04b1570d8417187c9e23b74	—	2020-10-19
FileHash-MD5	9f6c832fd8ee8d8a78b4c8a75dcbf257	—	2020-10-19
FileHash-MD5	0c103e5d536fbd945d9eddeae4d46c94	—	2020-10-19
FileHash-MD5	1f484cdf77ac662f982287fba6ed050d	—	2020-10-19
FileHash-MD5	defcd751054227bc2dd3070e368b697d	—	2020-10-19
FileHash-MD5	0c26eb2a6672ec9cd5eb76772542eb72	—	2020-10-19
FileHash-MD5	7bd970995a1689b0c0333b54dffb49b6	—	2020-10-19
FileHash-MD5	c39ed8c194ccf63aab1db28a4f4a38b9	—	2020-10-19
FileHash-MD5	574bd60ab492828fada43e88498e8bd2	—	2020-10-19
FileHash-MD5	31f64aa248e7be0be97a34587ec50f67	—	2020-10-19
FileHash-MD5	b6af1494766fd8d808753c931381a945	—	2020-10-19
FileHash-MD5	f1e79d4c264238ab9ccd4091d1a248c4	—	2020-10-19
FileHash-MD5	285e6ae12e1c13df3c5d33be2721f5cd	—	2020-10-19
FileHash-MD5	c92a03ba864ff10b8e1ff7f97dc49f68	—	2020-10-19
FileHash-MD5	e202b3bbb88b1d32dd034e6c307ceb99	—	2020-10-19
FileHash-MD5	2b6e5eefc7c14905c5e8371e82648830	—	2020-10-19
FileHash-MD5	df6e86d804af7084c569aa809b2e2134	—	2020-10-19
FileHash-MD5	e73b4b2138a67008836cb986ba5cee2f	—	2020-10-19
FileHash-MD5	7bbf0e96c8893805c32aeffaa998ede4	—	2020-10-19
FileHash-MD5	ee06cfa7dfb6d986eef8e07fb1e95015	—	2020-10-19
FileHash-MD5	9d48e9bff90ddcae6952b6539724a8a3	—	2020-10-19
FileHash-MD5	78506a097d96c630b505bd3d8fa92363	—	2020-10-19
FileHash-MD5	3033a1206fcabd439b0d93499d0b57da	—	2020-10-19
FileHash-MD5	c7b8e65e5d04d5ffbc43ed7639a42a5f	—	2020-10-19
FileHash-MD5	ee3f0db517f0bb30080a042d3482ceee	—	2020-10-19
FileHash-SHA1	05cc5d489370ebd03df86189a67dbdf433ba2f2d	SHA1 of 285e6ae12e1c13df3c5d33be2721f5cd	2020-10-19
FileHash-SHA1	9d1d1d513e9d60adce64a49be9d61246e8cc061f	SHA1 of e202b3bbb88b1d32dd034e6c307ceb99	2020-10-19
FileHash-SHA1	7f5f3165304b1f26a21fc9de239d1833fdaeec30	SHA1 of 78506a097d96c630b505bd3d8fa92363	2020-10-19
domain	orangevault.net	—	2020-10-19
domain	chat2hire.net	—	2020-10-19
domain	gozap.co.in	—	2020-10-19
domain	titaniumx.co.in	—	2020-10-19
domain	cvstyler.co.in	—	2020-10-19
domain	enigma.net.in	—	2020-10-19
domain	click2chat.org	—	2020-10-19
domain	bollywoods.co.in	—	2020-10-19
domain	melodymate.co.in	—	2020-10-19
domain	teraspace.co.in	—	2020-10-19
domain	x-trust.net	—	2020-10-19
domain	savitabhabi.co.in	—	2020-10-19
domain	sharify.co.in	—	2020-10-19
domain	strongbox.in	—	2020-10-19
domain	wesharex.net	—	2020-10-19
hostname	ud04.microsoftupdate.in	—	2020-10-19
hostname	n3.nortonupdates.online	—	2020-10-19
hostname	nightly.windowsupdates.eu	—	2020-10-19
hostname	u03.msoftserver.eu	—	2020-10-19
hostname	u02.msoftserver.eu	—	2020-10-19
hostname	ud01.microsoftupdate.in	—	2020-10-19
hostname	dailybuild.mozillaupdates.com	—	2020-10-19
hostname	n1.nortonupdates.online	—	2020-10-19
hostname	sake.mozillaupdates.us	—	2020-10-19
hostname	u01.msoftserver.eu	—	2020-10-19
hostname	n2.nortonupdates.online	—	2020-10-19
hostname	zen.mozillaupdates.us	—	2020-10-19
hostname	gyzu.mozillaupdates.us	—	2020-10-19
hostname	n4.nortonupdates.online	—	2020-10-19
hostname	daily.windowsupdates.eu	—	2020-10-19
hostname	nightlybuild.mozillaupdates.com	—	2020-10-19
hostname	u04.msoftserver.eu	—	2020-10-19
hostname	chuki.mozillaupdates.us	—	2020-10-19
hostname	ud03.microsoftupdate.in	—	2020-10-19
hostname	ud02.microsoftupdate.in	—	2020-10-19

References (2)

↗ https://securelist.com/gravityrat-the-spy-returns/99097/ ↗ https://timesofindia.indiatimes.com/city/lucknow/pakistan-spy-lured-98-targets-with-bots/articleshow/69867201.cms