GravityRAT Malware

For the past 18 months, Cisco Talos researchers said they have been tracking GravityRAT with the latest “G2” version spotted sa few weeks ago. The location of the developers, known as “The Invincible” and “TheMartian,” are unknown. However, researchers said documents used to test anti-virus detection via VirusTotal were submitted from Pakistan.

The malware dates back December 2016 with early samples given the version name G1 and later G2. The latest GravityRAT, published in December 2017, is GX.

GravityRAT’s infection vector is typical you need to click on a Word .Docx email attachment and enable macros. By doing so, email recipients are shown a “Protected Document” that prompts targets to “prove that the user is not a robot” (similar to a CAPTCHA). Doing so triggers the infection sequence.

In August 2017, the Indian National CERT published an advisory about malicious targeted campaigns that  referencing the command-and-control server infrastructure of what Talos later came to identify as GravityRAT.

C2 Servers

hxxp://cone[.]msoftupdates.com:46769
hxxp://ctwo[.]msoftupdates.com:46769
hxxp://cthree[.]msoftupdates.com:46769
hxxp://eone[.]msoftupdates.eu:46769
hxxp://etwo[.]msoftupdates.eu:46769
hxxp://msupdates[.]mylogisoft.com:46769
hxxp://coreupdate[.]msoftupdates.com:46769
hxxp://updateserver[.]msoftupdates.eu:46769

msoftupdates[.]com
msoftupdates[.]eu
mylogisoft[.]com




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: