India Android & MacOS Users Targets by GravityRAT Spyware

 

India Android & MacOS Users Targets by GravityRAT Spyware

 

    The GravityRAT campaign uses the infection methods — targeted individuals are sent links pointing to malicious apps. The new GravityRAT campaign is multiplatformity. besides Windows, there are now versions for Android and macOS The cybercriminals also started using digital signatures to make the apps look more legitimate. GravityRAT, a spying remote access Trojan (RAT) known to target devices in India, in an attack campaign against Android and macOS devices. Its creators are believed to be Pakistani hacker groups. The spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text logs of the infected machine to the C&C server. In addition, the Trojan searches for files in the device memory and on connected media with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus, and sends these to C&C as well.
 

The spyware receives commands from the server, including to:- Get information about the system, search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server, Get a list of running processes, Intercept keystrokes, Take screenshots, Execute arbitrary shell commands, record audio &  scan ports.

Indicator of Compromise

IOCs

File Hash

df6e86d804af7084c569aa809b2e2134
c92a03ba864ff10b8e1ff7f97dc49f68
b6af1494766fd8d808753c931381a945
7bd970995a1689b0c0333b54dffb49b6
0c26eb2a6672ec9cd5eb76772542eb72
0c103e5d536fbd945d9eddeae4d46c94
cceca8bca9874569e398d5dc8716123c
7bbf0e96c8893805c32aeffaa998ede4
e73b4b2138a67008836cb986ba5cee2f
9d48e9bff90ddcae6952b6539724a8a3
285e6ae12e1c13df3c5d33be2721f5cd
1f484cdf77ac662f982287fba6ed050d
c39ed8c194ccf63aab1db28a4f4a38b9
78506a097d96c630b505bd3d8fa92363
86c865a0f04b1570d8417187c9e23b74
31f64aa248e7be0be97a34587ec50f67
e202b3bbb88b1d32dd034e6c307ceb99
9f6c832fd8ee8d8a78b4c8a75dcbf257
defcd751054227bc2dd3070e368b697d
c0df894f72fd560c94089f17d45c0d88
2b6e5eefc7c14905c5e8371e82648830
ee06cfa7dfb6d986eef8e07fb1e95015
6689ecf015e036ccf142415dd5e42385
3033a1206fcabd439b0d93499d0b57da
f1e79d4c264238ab9ccd4091d1a248c4
ee3f0db517f0bb30080a042d3482ceee
30026aff23b83a69ebfe5b06c3e5e3fd
f8da7aaefce3134970d542b0e4e34f7b
574bd60ab492828fada43e88498e8bd2
df1bf7d30a502e6388e2566ada4fe9c8
092e4e29e784341785c8ed95023fb5ac
c7b8e65e5d04d5ffbc43ed7639a42a5f

URLs


daily.windowsupdates[.]eu
nightly.windowsupdates[.]eu
dailybuild.mozillaupdates[.]com
nightlybuild.mozillaupdates[.]com
u01.msoftserver[.]eu
u02.msoftserver[.]eu
u03.msoftserver[.]eu
u04.msoftserver[.]eu
n1.nortonupdates[.]online
n2.nortonupdates[.]online
n3.nortonupdates[.]online
n4.nortonupdates[.]online
sake.mozillaupdates[.]us
gyzu.mozillaupdates[.]us
chuki.mozillaupdates[.]us
zen.mozillaupdates[.]us
ud01.microsoftupdate[.]in
ud02.microsoftupdate[.]in
ud03.microsoftupdate[.]in
ud04.microsoftupdate[.]in
chat2hire[.]net
wesharex[.]net
click2chat[.]org
x-trust[.]net
bollywoods[.]co[.]in
enigma[.]net[.]in
titaniumx[.]co[.]in
sharify[.]co[.]in
strongbox[.]in
teraspace[.]co[.]in
gozap[.]co[.]in
orangevault[.]net
savitabhabi[.]co[.]in
melodymate[.]co[.]in
cvstyler[.]co[.]in

Comments

Post a Comment

Popular posts from this blog

Revil Ransomware Targeted Kaseya

Image
  Revil Ransomware Targeted Kaseya   REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. The REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.   Indicators of Compromise URLs/Domains: architekturbuero-wagner.net mindpackstudios.com vitavia.lt bouncingbonanza.com lukeshepley.wordpress.com igfap.com bockamp.com levihotelspa.fi exenberger.at tinyagency.com familypark40.com alfa-stroy72.com boompinoy.com mdacares.com architecturalfiberglass.org slupetzky.at sinal.org qualitus.com deepsouthclothingcompany.com groupe-frayssinet.fr synlab.lt kamienny-dywan24.pl ilcdover.com humancondition.co...
Read more

BANDOOK(RAT)

Image
    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...
Read more

Buer Loader provides malware-as-a-service

Image
  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...
Read more