GravityRAT is a remote access trojan delivered via malicious Microsoft Office Word documents distributed through spam. The trojan is able to detect if a Virtual Machine (VM) is running on the system using a WMI request in order to get the current temperature of the hardware. If the malware determines it is being run in a VM, it will not continue its malicious processes. If a victim downloads and opens the malicious file from the email and enables the macros, the malware payload is deployed. After the malware infects the machine, it begins to steal information such as PC and account data, along with listing all running processes on the machine and all available sources. Along with the initial download, a scheduled task is created in order to execute the malicious file every day.

Technical Details

  • Cisco Talos provides technical details on GravityRAT, here.