An updated variant of the Android GravityRAT malware has been discovered, targeting users through the BingeChat and Chatico messaging apps since August 2022. While the BingeChat campaign is still active, the Chatico campaign has ceased.
Attribution and Targeting: Researchers from ESET have associated the GravityRAT campaign with a group named SpaceCobra, although the actors behind the malware remain unidentified. The threat actor is believed to have connections to Pakistan and has previously targeted military personnel in India.
Campaign Overview: The malicious BingeChat app, distributed through the "bingechat[.]net" domain and potentially other channels, masquerades as a modified version of OMEMO IM—an authentic open-source instant messaging app for Android. The registration process for the malicious app is invite-based, requiring victims to provide valid credentials within a specified timeframe. Upon successful registration, BingeChat requests access to various permissions, including contacts, location, phone, SMS, storage, call logs, camera, and microphone.
Harmful Capabilities of GravityRAT: The latest iteration of GravityRAT spyware exhibits several harmful functionalities. It exfiltrates WhatsApp backups, deletes contacts, and erases call logs. Additionally, it steals media and document files in various formats, such as jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, and crypt32. The exfiltrated data is stored in text files on external storage media and transmitted to the command-and-control (C2) server before being removed from the victim's device.
Conclusion: The reappearance of GravityRAT highlights the ongoing activity of the threat actors behind this malware, who continuously enhance its capabilities to carry out sophisticated attacks. Notably, the new features primarily target mobile device users. It is essential for users to remain cautious when downloading apps from untrusted or third-party sources to mitigate the risk of infection.
No comments:
Post a Comment