GravityRAT Analysis: Into the malware Targeting Android

Introduction

GravityRAT is an android malware that has been attributed to the SpaceCobra threat group and is recently being distributed as a fake chat app through the website bingechat[.]net. It has been reported to be targeting India and Pakistan officials.

In this blog, we examine the malware and it’s behavior. We will do a source code and network communication analysis while covering the following aspects of the malware -

• Malware Delivery
• Malware Analysis
  - Initial C2 Server Connection
  - Dynamic C2 Domain Retrieval
  - C2 Beacon
  - C2 Data Exfiltration
  - C2 Destructive Directives

Malware Delivery

The malware is delivered through the website bingechat[.]net but it’s also assumed to be highly targeted since it requires credentials to download it from the website. We downloaded the sample from Virus Total (SHA256: caf0a39318cfc1e65eae773a28de62ce08b7cf1b9d4264e843576165411e2a84)

Malware Analysis

We begin our analysis by looking at the AndroidManifest.xml file where we see the java class that is invoked with the main activity:

Fig 1: Entrypoint from AndroidManifest

Initial C2 Server Connection

We look at the ‘onCreate’ method of ‘eu.siacs.bingechat.SplashActivity’ class which creates an instance of the MainService class in ‘eu.siacs.bingechat.network.MainService’ with startService.

Fig 2: MainService trigerred from the Mainactivity

This invokes the ‘onStartCommand’ of the MainService which creates an instance of the Connection class and calls execute on it. This will invoke the doInBackground method.

Fig 3: Instance of the Connection class being created

As part of the doInBackground method, we can see in that the malware starts a background service which contacts one of the 2 C2 domains among ‘https://dev.androidadbserver.com' and ‘https://adb.androidadbserver.com' and sends the initial packet with function name ‘GAD’.

Fig 4: Initial Request logic

If we look at the ‘postdata’ function, we can see the URI being contacted is static for this malware sample which is ‘/jurassic/6c67d428.php’.

Fig 5: Postdata method showcasing the hardcoded URI

Dynamic C2 Domain Retrieval

If we intercept the traffic with a proxy and look at it, we can see the response sends a list of current active domains which serves as a further point of communication. This can be confirmed as the subsequent communication occurs with the host ‘cld.androidadbserver.com’ returned in the response.

Fig 6: Initial Packets showing dynamic C2 address retrieval

C2 Beacon

As part of the ‘onStartCommand’, we can also see the malware fetches the IMEI of the phone and sends beacon messages to the C2 server updating its last seen which is common to see in C2 frameworks.

Fig 7: Updating the last seen of the victim

C2 Data Exfiltration

If we continue, we can see various classes are invoked with ‘ScheduledExecutorService’ which is used to schedule commands to run periodically.

Fig 8: Commands scheduled periodcally

The first one is the class called ‘SC’ (as per the decompiled code) which calls the custom method ‘walkdir’: -

Fig 9: Search for files of various extensions

We can see the method looks for the files of various extensions under the ‘/Android’ folder where usually android apps dump their own app data, and the extracted data is stored in a file ‘/Android/ebc/obb.log’. The contents of this file are later exfiltrated as seen below:

Fig 10: Contents of obb.log exfiltrated to C2 server

We can see the files such as WhatsApp backups are being exfiltrated since it was also looking for files with extensions ‘crypt14’

Fig 11: WhatsApp backup files being exfiltrated

From the response, we can guess that server is probably looking whether it’s a new file or not and issues an Alert if it is.

Fig 12: Alert from server

Continuing in the same function, we can see there is exfiltration logic for Call logs and the same can be observed from the traffic capture.

Fig 13: Call logs being exfiltrated from network capture

Fig 14: Source code logic for call log exfiltration

C2 Destructive Directives

We also notice that it periodically checks for tasks which can receive commands like ‘DeleteAllFiles’, ‘DeleteAllContacts’, ‘DeleteAllCallLogs’. Although in our execution we didn’t see the server returning those commands and what conditions trigger them can’t be said without the knowledge of C2 server-side code.

Fig 15: Checking for tasks from server

Fig 16: Checking for destructive C2 commands from server

Conclusion

Since its inception in 2015, the threat actor SpaceCobra has consistently leveraged various types of malware, frequently disguised as different applications. The one we looked at is GravityRAT, which is masked as a messaging application. However, the future may bring a different deceptive method.

In our analysis, we delved deeply into the GravityRAT android malware, scrutinizing its design from both the perspective of source code and network capture. Our examination revealed the malware’s method of communication with C2 servers and the ways in which it exfiltrates information from the victim’s phone. Alarmingly, it also has the potential to erase all critical files from the victim’s device upon command from the server.

Originally published at https://www.keysight.com.