For the past 18 months, Cisco Talos researchers said they have been tracking GravityRAT with the latest “G2” version spotted sa few weeks ago. The location of the developers, known as “The Invincible” and “TheMartian,” are unknown. However, researchers said documents used to test anti-virus detection via VirusTotal were submitted from Pakistan.
The malware dates back December 2016 with early samples given the version name G1 and later G2. The latest GravityRAT, published in December 2017, is GX.
GravityRAT’s infection vector is typical you need to click on a Word .Docx email attachment and enable macros. By doing so, email recipients are shown a “Protected Document” that prompts targets to “prove that the user is not a robot” (similar to a CAPTCHA). Doing so triggers the infection sequence.
In August 2017, the Indian National CERT published an advisory about malicious targeted campaigns that referencing the command-and-control server infrastructure of what Talos later came to identify as GravityRAT.