{
	"id": "396e2ffc-3d50-4066-ab94-6d5bf2e181ab",
	"created_at": "2026-04-06T00:22:27.189256Z",
	"updated_at": "2026-04-10T03:20:33.416352Z",
	"deleted_at": null,
	"sha1_hash": "72134bca2f4f7f12c08049a33b837a8f4887a177",
	"title": "GravityRAT malware takes your system's temperature",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 92039,
	"plain_text": "GravityRAT malware takes your system's temperature\r\nArchived: 2026-04-05 19:15:26 UTC\r\nPosted by   Martijn Grooten on   Apr 27, 2018\r\nCisco Talos researchers Warren Mercer and Paul Rascagnères recently discovered and analysed 'GravityRAT', an\r\nadvanced Remote Access Trojan (RAT) that appears to have been used in targeted attacks against organizations in\r\nIndia. Analysis of this piece of malware gives an interesting insight into the current state of malware development.\r\nThe malware is delivered through a malicious Microsoft Office document, likely sent via email, which is a\r\ncommon way for both targeted and opportunistic malware to infect devices. The authors appear to have uploaded\r\nearly versions of the malicious document to VirusTotal, to measure the detection of their code by a range of anti-virus products.\r\nIn general, using VirusTotal in this way gives a malware author only limited insight into whether a piece of\r\nmalware will be blocked: VirusTotal uses static anti-virus scanners and thus uploading a malicious file to the\r\nservice can only help its author understand whether it will be detected as malicious, not whether the malware will\r\nactually be allowed to run. On top of a static detection engine, endpoint security software typically includes\r\nvarious layers of protection that aim to prevent both known and unknown malware from running.\r\nFor a malicious document, however, static detection is important in determining whether it will bypass an email\r\nsecurity product; if the file is not detected, it is more likely to be able to bypass such security measures –\r\nespecially if the document is sent only in small quantities, thus not triggering anti-spam detectors in such products.\r\nIf the file is opened, and if macros are enabled by the user, the actual payload will be downloaded.\r\nThe GravityRAT Remote Access Trojan (or Tool) is noteworthy for the fact that is uses no fewer than seven\r\ntechniques to detect whether it is running inside a virtual machine.\r\nA lot of today's malware is 'VM-aware', and when it detects that it is being run inside a virtual machine (and is\r\nthus likely to be being analysed by a human or a malware-detection sandbox), it either terminates or changes its\r\nbehaviour. Common techniques for detecting a virtual machine environment include looking for traces of the\r\nhypervisor left on the virtual machine, checking the computer name, and checking the number of CPU cores – all\r\nof which GravityRAT does.\r\nBut it also uses a novel technique where it requests the CPU temperature – a feature not commonly supported by\r\nhypervisors. These will then respond 'not supported', thus revealing that the malware is probably not being run on\r\na real machine.\r\nhttps://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/\r\nPage 1 of 2\n\nFor many years, there has been a continuous cat-and-mouse (cat-and-rat?) game between malware writers and the\r\ndevelopers of virtual machines and sandboxes. Analyses like this help the latter update their tools and thus force\r\nthe malware authors to work even harder.\r\nWarren and Paul spoke at VB2017 last year and will be back at VB2018 in Montreal, to discuss the 'Olympic\r\nDestroyer' malware. Registration for VB2018 will open very soon.\r\nSource: https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/\r\nhttps://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/"
	],
	"report_names": [
		"gravityrat-malware-takes-your-systems-temperature"
	],
	"threat_actors": [],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72134bca2f4f7f12c08049a33b837a8f4887a177.pdf",
		"text": "https://archive.orkl.eu/72134bca2f4f7f12c08049a33b837a8f4887a177.txt",
		"img": "https://archive.orkl.eu/72134bca2f4f7f12c08049a33b837a8f4887a177.jpg"
	}
}