A previously unidentified remote access tool (RAT) primarily targeting Indian organisations uses seven different techniques for sniffing out researchers' virtual machines and sandbox environments, including taking the temperature of an infected computer.
Dubbed GravityRAT, the malware has largely stayed under the radar for at least two years, and allows adversaries to perform reconnaissance on affected machines, exfiltrate files, and execute arbitrary code, according to a new blog post analysis from Cisco Systems' Talos threat research division.
GravityRAT infects computers by way of Microsoft Office documents containing a small, embedded malicious macro, which victims are tricked into enabling while at the same time disabling Protected Mode. The macro includes three functions: one that copies the active document in a temporary directory and renames it as a ZIP archive, one that decompresses the .zip file and extracts the malicious executable inside it, and one that creates a scheduled task to execute this file each day.
"With this approach, the attacker ensures that there is no direct execution," explain researchers Warren Mercer and Paul Rascagneres in their co-authored blog post. "There's no download of an additional payload."
But what makes GravityRat truly unique is the lengths to which it goes to dodge virtual environments that are typically created for malware research and analyses.
Talos counts seven ways the malware attempts identify whether or not a compromised system is a virtual machine, but the most unusual is by employing a WMI (Windows Management Instrumentation) request to check the current CPU temperature. This tactic often works because certain hypervisors, including Hyper-V, VMWare Fusion, VirtualBox, KVM and XENs, do not support the temperature check function. Therefore, the response from the WMI request is a telltale error message that immediately sends up a red flag.
"VM detection techniques are very common and quite problematic for vendors with point detection products," said Craig Williams, director of Talos Outreach, in an email interview with SC Media. "This actor is the first we've ever seen to use a WMI request in order to get the current temperature as a way to detect virtual environments. This is a fairly clever approach that is both efficient and unfortunately reliable."
Williams added that this GravityRAT sample takes the concept of anti-VM detection techniques "to the extreme." In its blog post, Talos describes the other six techniques as follows:
- "Looking at any additional tools used by the hypervisor that are installed on the system (by checking a registry key).
- "[Using a WMI request to the BIOS version (Win32_BIOS entry). If the response contains: 'VMware,' 'Virtual,' 'XEN,' 'Xen' or 'A M I' the system is considered as a virtual machine. Additionally, the malware checks the SerialNumber and the version of the BIOS."
- "[Using] the Win32_Computer entry in WMI. It checks if the manufacturer contains 'VIRTUAL,' 'VMWARE' or 'VirtualBox.'
- Checking the system's Processor ID.
- Counting the number of cores in the infected system.
- Checking the machine's MAC Address to determine if it starts by a well-known hexadecimal number. If so, the system is identified as a virtual machine.
The researchers have identified four distinct variants GravityRAT since the first iteration of the .Net-based malware, G1, was compiled in December 2016.
The debut version was designed to execute commands and steal data such as the MAC Address, computer name, username, IP address, and date, as well as various files and volumes mapped on the system. The next version, G2, was first used in July 2017 and included a decoy picture document and the ability look for VM environments via a WMI request to collect CPU information in the Win32_Processor entry.
Next to show its face in August 2017 was G3, which introduced support for additional languages, and featured a different C&C server back-end as well as a changed URI. And just a few weeks ago, Talos spotted GX -- the latest, most advanced version of GravityRAT, which includes all seven anti-VM techniques, plus additional functionality including collecting open ports on the victim host, listing all running processes and supporting file encryption.
In August 2017, the Indian National CERT published an advisory about malicious targeted campaigns that referencing the command-and-control server infrastructure of what Talos later came to identify as GravityRAT.
Since then, Talos' attempts at attribution have so far revealed that all of the malicious Office documents linked to the threat, as well as a malicious executable, were submitted from Pakistan. Talos also linked GravityRAT's developer to two usernames, "The Invincible" and "TheMartian," Moreover the developer appears to have leaked hisname -- either absentmindedly or intentionally as a decoy -- in the program database of GravityRAT's oldest version, referring to himself as Adeel.
Talos concludes that while the attacker "is probably not the most advanced actor we've seen" -- never bothering to obfuscate the malware's .Net code, for instance -- he nevertheless "managed to stay under the radar since 2016 and "was clever enough to keep this infrastructure safe, and not have it blacklisted by a security vendor."