Thursday, December 26, 2024
HomeAndroidCapraRAT Mimics As Popular Android Apps Attacking Android Users

CapraRAT Mimics As Popular Android Apps Attacking Android Users

Published on

SIEM as a Service

Transparent Tribe (aka APT36) has been active since 2016, focusing on social engineering strategies to target Indian government and military personnel.

The CapraTube campaign of Transparent Tribe (aka APT36) was revealed in September 2023, in which threat actors employed weaponized Android apps posing as YouTube, mostly in dating scenarios.

Cybersecurity researchers at SentinelLabs recently discovered that the CapraRAT has been mimicking popular Android apps by attacking Android users.

- Advertisement - SIEM as a Service

These latest actions imply complex but relatively increased spyware conformity with older and modern versions of Android, revealing the group’s adaptability and continuous drive to widen its attack surface against Indian targets.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

CapraRAT As Android Apps

The code of this malware contains obfuscated URLs and utilizes WebView to launch YouTube and CrazyGames[.]com. The “Sexy Videos” app still uses social engineering tactics centered on romance.

“TikTok” is a preloaded query on one app that launches YouTube with a search “Tik Toks.” Another, labeled as “Weapons”, opens the Forgotten Weapons YouTube channel while the third one called “Crazy Games” loads CrazyGames[.]com.

New CapraRAT APKs (Source – Sentinel Labs)

SentinelLabs researchers said this change in CapraRAT’s modus operandi demonstrates its flexibility and employment of genuine platforms as smokescreens for malicious activities, consequently maintaining its core function of accessing sensitive device permissions.

The latest CapraTube campaign continues with the same old romance-themed social engineering using such apps. These apps open YouTube and run theme-related searches.

Although some previously requested permissions have been removed, this malware asks for a lot of dangerous permissions during monitoring.

Android 8.0 (Oreo) and above versions are now being targeted compared to the September 2023 campaign to make them more compatible with modern devices.

Still, they ask for suspicious permissions despite operating well on new Android versions. Consequently, a new WebView class has been added to retain compatibility with older Android versions.

Even after updating these aspects, malware’s core functionality remains largely unchanged as they focus on surveillance capabilities.

The spyware application CapraRAT is initiated through MainActivity and exploits the TCHPClient class for malicious activities. It includes functions for audio streaming, call recording, contact logging, file browsing, and SMS sniffing.

These kinds of malware use particular hostnames and IP addresses to communicate with their C2 servers, some of which are connected to other malware like CrimsonRAT.

The latest updates aim to enhance the software’s reliability and ensure its compatibility with newer Android versions.

The social engineering tactics employed by this malware target specific groups, such as mobile gamers or people who love guns.

Users should pay attention to app permissions they give during installations and be cautious about unnecessary requests for access.

Incident responders must keep an eye on specific network indicators and method names related to CapraRAT.

IoCs

IoCs  (Source – Sentinel Labs)

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...