GravityRAT
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
GravityRAT uses HTTP for C2.(Citation: Talos GravityRAT) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
GravityRAT executes commands remotely on the infected host.(Citation: Talos GravityRAT) |
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
GravityRAT has been delivered via Word documents using DDE for execution.(Citation: Talos GravityRAT) |
| Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.(Citation: Talos GravityRAT) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
GravityRAT creates a scheduled task to ensure it is re-executed everyday.(Citation: Talos GravityRAT) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. (Citation: Talos GravityRAT) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.