Malware

GravityRAT and IPStorm: Mac Malware, Ported from Windows

Posted on October 22nd, 2020 by

GravityRAT malware logo art

Two malware threats that began on Windows—GravityRAT and IPStorm—are now available for Mac, Android, and Linux, too.

So what does each malware family do? And what does this mean for the future of Mac malware? Read on for details.

GravityRAT remote access Trojan

As the name implies, GravityRAT is a RAT: a remote access Trojan. A Windows version of GravityRAT was first discovered in 2017, but the campaign may have been active since 2015 or earlier. It targeted the armed forces of India.

In 2018, GravityRAT was ported to Android. The malware maker used the source code of a legitimate Android mobile app called Travel Mate, and added malicious code and distributed it as “Travel Mate Pro.” The real Travel Mate is an app designed for people who travel in India.

As reported by Securelist, GravityRAT malware has more recently been discovered masquerading as “Enigma,” a supposed secure file sharing app that claims to somehow protect against ransomware. First seen on Windows in September 2019, Enigma has also been ported to macOS.

Other Windows and Mac variants of this Trojan have been distributed under the pretend product names “OrangeVault,” “StrongBox,” and “TeraSpace.”

InterPlanetary Storm (IPStorm) botnet

The original Windows version of the InterPlanetary Storm (or IPStorm) malware was discovered in May 2019, and the first Linux version was found in June 2020.

The latest variant targets devices running UNIX-like operating systems, including Linux, Android-based TV boxes, and Darwin—the core of macOS.

IPStorm spreads itself by conducting dictionary-based, brute-force password guessing attacks against SSH servers, and also by accessing open Android Debug Bridge (ADB) ports.

While the ultimate intentions of the malware maker and botnet master is unknown, an estimated 13,500 devices are believed to be infected worldwide, across at least 84 different countries. Fifty-nine percent of infected devices are located in Hong Kong, South Korea, or Taiwan.

Why is more Windows malware coming to Mac?

This is not the first time Windows malware has been ported to Mac. A couple of memorable examples include the Snake (aka Turla, Uroburos) malware, ported to Mac in 2017, and the XSLCmd malware, ported to Mac in 2014.

Nevertheless, it’s very interesting to see IPStorm and GravityRAT, two unrelated Windows malware families, making their way to Mac in such a short span of time.

Is this a sign of things to come? Probably.

The Mac operating system’s market share has more than doubled over the past seven years, according to data from Statista. Moreover, we’ve seen a continuous increase in Mac malware in recent years.

We’ve even seen state-sponsored attackers that historically made Windows malware beginning to target macOS, as was the case with Lazarus malware as part of Operation AppleJeus in 2018.

Windows malware developers are likely noticing these trends, and for these and other reasons, Macs are becoming an ever more interesting target for cybercriminals.

How can one stay safe from IPStorm and GravityRAT?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this malware.

Note: Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected. It is best to upgrade to the latest version of VirusBarrier and macOS if possible to ensure your Mac gets all the latest security updates from Apple.

Indicators of compromise (IoCs)

The following are some known SHA-256 hashes of malicious Mac files from these malware families.

GravityRAT:
65EEF61BA8FC477771BCF37A1C6DF5EA636EF61AC29187D49EB13BA93C228E9A
84D6372141166F87DE9C557E030B866AFFAEB726D66DA204B0A711B1167C83BE
C29BEEDDFF66D825E9A813B5BBFECA513AEC5E4BA3CF1A45284EED9E2A9DFE0E

IPStorm:
4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1

How can I learn more?

For more technical details about this malware, you can refer to Securelist’s write-up of GravityRAT and Barracuda’s write-up of IPStorm.

We discussed these and other new Mac malware (including the latest notarized Mac malware) on episode 158 of the Intego Mac Podcast. Be sure to subscribe to make sure you don’t miss any episodes. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.

You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

GravityRAT logo header image based on: “Newton’s apple” by Alexander Borek (CC BY-SA 4.0) and “Vector Illustration of Long-Tailed Rodent Rats Sniff the Air,” Designed by Wannapik (CC BY); both images modified.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 20 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →