We track the group internally under the name SpaceCobra, and attribute both the BingeChat and Chatico campaigns to this group. The group behind the malware remains unknown, even though Facebook researchers attribute GravityRAT to a group based in Pakistan, as also previously speculated by Cisco Talos. The domains for both the website and C&C server are now offline.įrom here on out, we will only focus on the active campaign using the BingeChat app, which has the same malicious functionality as Chatico. Chatico was most likely distributed through the uk website and also communicated with a C&C server. Like BingeChat, Chatico is based on the OMEMO Instant Messenger app and trojanized with GravityRAT. The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.įigure 6. Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. BingeChat is distributed through a website advertising free messaging services. Most likely active since August 2022, the BingeChat campaign is still ongoing however, the campaign using Chatico is no longer active. The actor behind GravityRAT remains unknown we track the group internally as SpaceCobra. Windows, Android, and macOS versions are available, as previously documented by Cisco Talos, Kaspersky, and Cyble.
GravityRAT is a remote access tool known to be used since at least 2015 and previously used in targeted attacks against India. ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete filesĮSET researchers have identified an updated version of Android GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico.
0 kommentar(er)
