Friday, November 22, 2024
HomeAndroidCapraRAT Mimics As Popular Android Apps Attacking Android Users

CapraRAT Mimics As Popular Android Apps Attacking Android Users

Published on

Transparent Tribe (aka APT36) has been active since 2016, focusing on social engineering strategies to target Indian government and military personnel.

The CapraTube campaign of Transparent Tribe (aka APT36) was revealed in September 2023, in which threat actors employed weaponized Android apps posing as YouTube, mostly in dating scenarios.

Cybersecurity researchers at SentinelLabs recently discovered that the CapraRAT has been mimicking popular Android apps by attacking Android users.

- Advertisement - SIEM as a Service

These latest actions imply complex but relatively increased spyware conformity with older and modern versions of Android, revealing the group’s adaptability and continuous drive to widen its attack surface against Indian targets.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

CapraRAT As Android Apps

The code of this malware contains obfuscated URLs and utilizes WebView to launch YouTube and CrazyGames[.]com. The “Sexy Videos” app still uses social engineering tactics centered on romance.

“TikTok” is a preloaded query on one app that launches YouTube with a search “Tik Toks.” Another, labeled as “Weapons”, opens the Forgotten Weapons YouTube channel while the third one called “Crazy Games” loads CrazyGames[.]com.

New CapraRAT APKs (Source – Sentinel Labs)

SentinelLabs researchers said this change in CapraRAT’s modus operandi demonstrates its flexibility and employment of genuine platforms as smokescreens for malicious activities, consequently maintaining its core function of accessing sensitive device permissions.

The latest CapraTube campaign continues with the same old romance-themed social engineering using such apps. These apps open YouTube and run theme-related searches.

Although some previously requested permissions have been removed, this malware asks for a lot of dangerous permissions during monitoring.

Android 8.0 (Oreo) and above versions are now being targeted compared to the September 2023 campaign to make them more compatible with modern devices.

Still, they ask for suspicious permissions despite operating well on new Android versions. Consequently, a new WebView class has been added to retain compatibility with older Android versions.

Even after updating these aspects, malware’s core functionality remains largely unchanged as they focus on surveillance capabilities.

The spyware application CapraRAT is initiated through MainActivity and exploits the TCHPClient class for malicious activities. It includes functions for audio streaming, call recording, contact logging, file browsing, and SMS sniffing.

These kinds of malware use particular hostnames and IP addresses to communicate with their C2 servers, some of which are connected to other malware like CrimsonRAT.

The latest updates aim to enhance the software’s reliability and ensure its compatibility with newer Android versions.

The social engineering tactics employed by this malware target specific groups, such as mobile gamers or people who love guns.

Users should pay attention to app permissions they give during installations and be cautious about unnecessary requests for access.

Incident responders must keep an eye on specific network indicators and method names related to CapraRAT.

IoCs

IoCs  (Source – Sentinel Labs)

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...