GravityRAT is a Trojan which checks the temperature of a system to detect the presence of virtual machines (VMs) and prevent efforts at analysis by researchers.
By taking thermal readings, the Remote Access Trojan (RAT), which has become a recent menace in India, attempts to find out whether or not VMs are being employed for the purpose of decompiling efforts and reverse engineering.
The approach is not foolproof, but according to Cisco Talos researchers[1], GravityRAT is able to detect a number of virtual environments using this method.
GravityRAT is a Trojan which is still in evolution. Over at least the past 18 months, the malware has been undergoing development and has been equipped with a range of features including file exfiltration, remote command execution capabilities, and anti-VM techniques.
The threat actor behind the Trojan has also utilized VirusTotal for testing purposes to stay under the radar and avoid antivirus software detection.
The malware spreads through malicious Microsoft Office Word documents. If a potential victim downloads and opens the file, they are asked to enable macros, and then a payload is deployed.
The payload copies the malicious document and sets a Windows scheduled task to execute this file on a daily basis to retain persistence.
Once the Trojan has compromised the victim machine, information is stolen including PC and account data, USB files are stolen if such devices are connected, and the malware also lists all running processes and available services. Surveillance and remote machine control are also possible.
However, the anti-VM techniques are, perhaps, the most interesting aspects of this malware.
Security researchers Warren Mercer and Paul Rascagneres say the sandbox detection feature is made through a