GravityRAT is an Advance Persistence Threat (APT) that allegedly targets India, United States and United Kingdom. GravityRAT uses Microsoft Word as a medium to proliferate. Once the user open the document it insisted to enable macros upon which is executes the zipped payload.
GravityRAT once successfully executed collects MAC Address, Computer name, Username, IP address, Date, Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf send to its command and control servers.
GravityRAT is written in .net, which can easily be de-compiled the authors do not pay attention to code obfuscation yet they hugely emphasize on Anti-VM techniques that include registry key check, wmi querying, MAC address checking, counting CPU cores and importantly and some what different i.e. checking the temperature of the CPU which is not supported by the virtual machines and hence notify the malware that its been analyzed.
GravityRAT signatures are as follows.
GravityRAT Sample Download
Download GravityRAT PCAP
The password of the zip is: infected