{"id":92380,"date":"2020-10-22T15:32:30","date_gmt":"2020-10-22T22:32:30","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=92380"},"modified":"2020-10-22T15:32:30","modified_gmt":"2020-10-22T22:32:30","slug":"gravityrat-and-ipstorm-mac-malware-ported-from-windows","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/gravityrat-and-ipstorm-mac-malware-ported-from-windows\/","title":{"rendered":"GravityRAT and IPStorm: Mac Malware, Ported from Windows"},"content":{"rendered":"

\"GravityRAT<\/p>\n

Two malware threats that began on Windows\u2014GravityRAT and IPStorm\u2014are now available for Mac, Android, and Linux, too.<\/p>\n

So what does each malware family do? And what does this mean for the future of Mac malware? Read on for details.<\/p>\n

GravityRAT remote access Trojan<\/h3>\n

\"\"As the name implies, GravityRAT is a RAT: a remote access Trojan. A Windows version of GravityRAT was first discovered in 2017, but the campaign may have been active since 2015 or earlier. It targeted the armed forces of India.<\/p>\n

In 2018, GravityRAT was ported to Android. The malware maker used the source code of a legitimate Android mobile app called Travel Mate, and added malicious code and distributed it as “Travel Mate Pro.” The real Travel Mate is an app designed for people who travel in India.<\/p>\n

As reported by Securelist, GravityRAT malware has more recently been discovered masquerading as “Enigma,” a supposed secure file sharing app that claims to somehow protect against ransomware. First seen on Windows in September 2019, Enigma has also been ported to macOS.<\/p>\n

Other Windows and Mac variants of this Trojan have been distributed under the pretend product names “OrangeVault,” “StrongBox,” and\u00a0“TeraSpace.”<\/p>\n

InterPlanetary Storm (IPStorm) botnet<\/h3>\n

\"\"The original Windows version of the InterPlanetary Storm (or IPStorm) malware was discovered in May 2019, and the first Linux version was found in June 2020.<\/p>\n

The latest variant targets devices running UNIX-like operating systems, including Linux, Android-based TV boxes, and Darwin\u2014the core of macOS.<\/p>\n

IPStorm spreads itself by conducting dictionary-based, brute-force password guessing attacks against SSH servers, and also by accessing open Android Debug Bridge (ADB) ports.<\/p>\n

While the ultimate intentions of the malware maker and botnet master is unknown, an estimated 13,500 devices are believed to be infected worldwide, across at least 84 different countries. Fifty-nine percent of infected devices are located in Hong Kong, South Korea, or Taiwan.<\/p>\n

Why is more Windows malware coming to Mac?<\/h3>\n

\"\"This is not the first time Windows malware has been ported to Mac. A couple of memorable examples include the Snake (aka Turla, Uroburos) malware, ported to Mac in 2017<\/a>, and the XSLCmd malware, ported to Mac in 2014<\/a>.<\/p>\n

Nevertheless, it’s very interesting to see IPStorm and GravityRAT, two unrelated Windows malware families, making their way to Mac in such a short span of time.<\/p>\n

Is this a sign of things to come? Probably.<\/p>\n

The Mac operating system’s market share has more than doubled over the past seven years, according to data from Statista<\/a>. Moreover, we’ve seen a continuous increase in Mac malware<\/a> in recent years.<\/p>\n

We’ve even seen state-sponsored attackers that historically made Windows malware beginning to target macOS, as was the case with Lazarus malware as part of Operation AppleJeus in 2018<\/a>.<\/p>\n

Windows malware developers are likely noticing these trends, and for these and other reasons, Macs are becoming an ever more interesting target for cybercriminals.<\/p>\n

How can one stay safe from IPStorm and GravityRAT?<\/h3>\n

\"IntegoIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate this malware.<\/p>\n

Note: Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected. It is best to upgrade to the latest version of VirusBarrier and macOS if possible to ensure your Mac gets all the latest security updates from Apple.<\/span><\/a><\/p>\n

Indicators of compromise (IoCs)<\/h3>\n

The following are some known SHA-256 hashes of malicious Mac files from these malware families.<\/p>\n

GravityRAT:\r\n65EEF61BA8FC477771BCF37A1C6DF5EA636EF61AC29187D49EB13BA93C228E9A\r\n84D6372141166F87DE9C557E030B866AFFAEB726D66DA204B0A711B1167C83BE\r\nC29BEEDDFF66D825E9A813B5BBFECA513AEC5E4BA3CF1A45284EED9E2A9DFE0E\r\n\r\nIPStorm:\r\n4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1<\/pre>\n
How can I learn more?<\/h3>\n
For more technical details about this malware, you can refer to Securelist’s write-up of GravityRAT<\/a> and Barracuda’s write-up of IPStorm<\/a>.<\/p>\n
\"\"<\/a>We discussed these and other new Mac malware (including the latest notarized Mac malware<\/a>) on episode 158<\/a> of the Intego Mac Podcast<\/strong><\/a>. Be sure to subscribe<\/a> to make sure you don\u2019t miss any episodes. You\u2019ll also want to subscribe to our e-mail newsletter<\/strong> and keep an eye here on The Mac Security Blog<\/strong> for the latest Apple security and privacy news.<\/p>\n