Research released Thursday by Talos Security, Cisco’s internal cybersecurity unit, describes how a long running computer spying campaign against India was likely controlled by operators in Pakistan.
Researchers highlighted a stealthy remote access trojan, dubbed “GravityRAT,” that’s been repetitively used to target Indian organizations since at least 2016. During that timeframe, the author of GravityRAT added new features and changed certain capabilities to make it more difficult to detect. This also included making the malware multilingual, so that whenever it was packaged inside a phishing email it had a better chance at tricking people who speak Chinese, Italian, French, German or Spanish.
“The evolution shows us that the author is motivated,” Talos security researcher Paul Rascagneres told CyberScoop. “On the latest version (GX) they implemented a lot of Virtual Machines detection. We can conclude they had some issues with VM or/and sandbox used by the targets with the previous versions of the RAT.”
India’s computer emergency response team (CERT) previously published an advisory about GravityRAT, which suggests it targeted multiple Indian entities, according to Talos. The Indian CERT, however, only shared limited details about the operation. It was not until Thursday that a more comprehensive explanation was made public.
“We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT,” a blog post by Talos reads. “This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.”
Researchers say the tool appears to have been engineered so that it can be combined with phishing emails. More specifically, in most known cases, the malicious payload itself would be hidden in a weaponized Microsoft Word document. Talos collected several lure documents and images, some of which pictured a group of Middle Eastern men in a bazaar.
“The decoy document does not help us to clearly identify the target profile,” said Rascagneres. “However, the author tried to innovate from a social engineering point of view. He asked to the target to enable macros to prove they were not a robot (like a CAPTCHA).”
In short, GravityRAT can exfiltrate large amounts of data very quickly from a compromised computer. It can even scan for external hard drives or USB sticks that are connected to the victim device and it then also pulls those files. It’s unclear how many people or organizations are victims.
“This actor is probably not the most advanced actor we’ve seen. But he or she managed to stay under the radar since 2016,” writes Talos’ Warren Mercer and Rascagneres. “Each new variant included new features. The developer used the same C2 infrastructure all this time. [And] the developer was clever enough to keep this infrastructure safe.”
Talos was able to gain comprehensive insight into GravityRAT because one of its operators made a glaring operational security mistake.
On multiple occasions, the attacker uploaded the hacking tool to VirusTotal, a public malware repository that’s popularly used by the security research community. These uploads carried identifiable information, like timestamps and geographic locations. Examining some of this data from 2016 provided a name: “Adeel.”
A cursory LinkedIn search for computer security experts named Adeel, who are currently based in Pakistan, lists hundreds of people. It’s not clear who this person may be, based on the available research.
“[GravityRAT] is not the most sophisticated [malware] because it’s developed in .NET and not obfuscated,” explained Rascagneres. “We can easily get the source code in order to analyse it. We don’t need to disassemble the binary and work from the assembly level.”
India and Pakistan maintain a hostile and combative relationship that’s underlined by repeated small arms conflict over a contested territory dividing their border known as Kashmir.