GravityRAT, a remote access trojan targeting organisations across India, features an unusual trick for evading analysis: taking a reading of the target computer’s temperature.
A high reading suggests the device is running a series of virtual machines – digital chambers used by researchers to isolate and analyse malware as part of a process called “sandboxing”. As such, the trojan will only detonate its payload if the thermal reading is below a certain level.
In a blog published by Cisco Talos, researchers Warren Mercer and Paul Rascagneres explain that the virus has remained under the radar for the last two years while its developers have made a series of improvements.
“We’ve seen file exfiltration, remote command execution capability and anti-VM techniques added throughout the life of GravityRAT,” they write. “This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.”
The virus is delivered through a Word file. Once it has been opened, a macro makes a copy of the document, renames it as a zip archive, extracts the malicious .exe file stored within it and sets it up to execute every day.
“With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there’s no download of an additional payload, and finally, the author uses the fact that the docx format is an archive in order to include its executable (GravityRAT),” the researchers add.
Fortunately, the attempt to evade sandboxing will not work in every instance, and in some cases could make the trojan less effective. The researchers note that thermal monitoring is not supported on Hyper-V, VMware Fusion, VirtualBox, KVM and XEN and that some physical systems do not support readings either. If the trojan can’t take one, it presumes the system is running VMs and will not detonate.
“This check is not foolproof as we have identified physical hosts which do not report back the temperature, however, it should also be considered a check that is identifying a lot of virtual environments,” the researchers explain. “This is particularly important due to the amount of sandboxing & malware detonation being carried out within virtual environments by researchers.”
Marta Janus, a senior threat researcher at Cylance, said that sandboxing plays an important role in the detection of malware: “There are plenty of known techniques that the threat actors can use to detect virtual machines and emulators, but AV vendors constantly update their sandboxing engines to mitigate these risks.”
“Using a query to check the processor temperature is a novel, rarely seen method of detecting virtual environment,” Janus added. “The fact that it hasn’t been widely publicised in this context yet might be advantageous to cybercriminals, providing their malware with a window of lower detection rates – at least until the countermeasures are implemented. But it also has a substantial disadvantage, as it would prevent the malware from running on certain physical systems, which do not support this query either.”