Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

GravityRAT

GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)
ID: S0237
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 17 Oct 2018
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GravityRAT uses HTTP for C2.(Citation: Talos GravityRAT)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

GravityRAT executes commands remotely on the infected host.(Citation: Talos GravityRAT)

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

GravityRAT has been delivered via Word documents using DDE for execution.(Citation: Talos GravityRAT)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.(Citation: Talos GravityRAT)

.013 Obfuscated Files or Information: Encrypted/Encoded File

GravityRAT supports file encryption (AES with the key "lolomycin2017").(Citation: Talos GravityRAT)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GravityRAT creates a scheduled task to ensure it is re-executed everyday.(Citation: Talos GravityRAT)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. (Citation: Talos GravityRAT)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.