Home Software GravityRAT Is The Smartest Trojan Ever – It Reads The System’s Temperature...

GravityRAT Is The Smartest Trojan Ever – It Reads The System’s Temperature To Evade Detection

0
SHARE

A remote access Trojan that focuses on Indian-wide enterprises and institutions, GravityRAT, uses an uncommon gimmick to avoid detection. Namely, the Trojan is able to read the temperature of the computer of interest.

Because an elevated temperature indicates that the computer is executing a range of virtual machines, which are the so-called digital rooms that IT security experts are using to seal and examine malware during the “sandboxing” process, this smart Trojan will only trigger when it reads that the temperature of the system is lower than a specific level.

IT security specialists Warren Mercer and Paul Rascagneres described on a blog released by Cisco Talos how the virus has been able to keep itself off the radar since 2016, while in the meantime the virus’ creators implemented several enhancements.

“We’ve seen the file exfiltration, remote command execution capability and anti-VM techniques added throughout GravityRAT’s lifetime,” Mercer and Rascagneres wrote.

GravityRAT runs automatically without a direct execution or additional payloads

This steady progression, past the execution of default remote script, is troubling as it demonstrates commitment and creativity from the trojan’s developers, according to the specialists.

After opening an infected docx file, a macro will automatically replicate the file, rewrite it as a zip archive, retrieve the GravityRAT executable from it, and then sets it to run automatically on a daily basis.

“With this approach, the attacker makes sure that there is no direct execution (the executable runs on scheduled tasks), no downloading of an additional payload, and finally, the author uses the fact that the docx format is a file to include his executable, the GravityRAT trojan,” explained Warren Mercer and Paul Rascagneres in their blog post.

However, GravityRAT is not able to escape from every “sandboxing” procedure. Besides, the IT security specialists found out that VMware Fusion, Hyper-V, VirtualBox, XEN, and KVM systems, along with several other physical systems, don’t permit temperature readings, thus, the trojan would presume these systems are running virtual machines, so it will not execute.