GravityRAT is a Trojan which checks the temperature of a system to detect the presence of virtual machines (VMs) and prevent efforts at analysis by researchers.
By taking thermal readings, the Remote Access Trojan (RAT), which has become a recent menace in India, attempts to find out whether or not VMs are being employed for the purpose of decompiling efforts and reverse engineering.
The approach is not foolproof, but according to Cisco Talos researchers, GravityRAT is able to detect a number of virtual environments using this method.
GravityRAT is a Trojan which is still in evolution. Over at least the past 18 months, the malware has been undergoing development and has been equipped with a range of features including file exfiltration, remote command execution capabilities, and anti-VM techniques.
The threat actor behind the Trojan has also utilized VirusTotal for testing purposes to stay under the radar and avoid antivirus software detection.
The malware spreads through malicious Microsoft Office Word documents. If a potential victim downloads and opens the file, they are asked to enable macros, and then a payload is deployed.
The payload copies the malicious document and sets a Windows scheduled task to execute this file on a daily basis to retain persistence.
Once the Trojan has compromised the victim machine, information is stolen including PC and account data, USB files are stolen if such devices are connected, and the malware also lists all running processes and available services. Surveillance and remote machine control are also possible.
However, the anti-VM techniques are, perhaps, the most interesting aspects of this malware.
Security researchers Warren Mercer and Paul Rascagneres say the sandbox detection feature is made through a Windows Management Instrumentation (WMI) request in order to pull the current temperature of target hardware.
Such queries can return the CPU temperature of up to seven thermal zones, as well as processor ID, name, manufacturer, and the clock speed.
While not every machine will return this reading, heat levels can reveal that a VM is likely in operation.
According to Cisco Talos, this kind of monitoring is not supported on Hyper-V, VMWare Fusion, VirtualBox, KVM, or XEN, and if modern hardware will not return heat readings, then GravityRAT will treat them as VMs.
"This check is not foolproof as we have identified physical hosts which do not report back the temperature, however, it should also be considered a check that is identifying a lot of virtual environments," the researchers say. "This is particularly important due to the amount of sandboxing & malware detonation being carried out within virtual environments by researchers."
The Trojan will also check for tools used by hypervisors which are installed on the system by checking registry keys, BIOS serial numbers, Win32_Computer entries, and how many cores are present in the infected system.
India's National Computer Emergency Response Team (CERT) says the Trojan has been used in targeted attacks within the country.
"This actor is probably not the most advanced actor we've seen," Cisco says. "But he or she managed to stay under the radar since 2016."
"The actor took their time to ensure they were not within a virtual environment to avoid analysis," the researchers added. "However, they did not take any time at all to attempt to obfuscate their .NET code. The code was largely trivial to reverse engineer, which meant static analysis was an easy option for this piece of malware."