CapraRAT Mimics As Popular Android Apps Attacking Android Users

Transparent Tribe (aka APT36) has been active since 2016, focusing on social engineering strategies to target Indian government and military personnel.

The CapraTube campaign of Transparent Tribe (aka APT36) was revealed in September 2023, in which threat actors employed weaponized Android apps posing as YouTube, mostly in dating scenarios.

Cybersecurity researchers at SentinelLabs recently discovered that the CapraRAT has been mimicking popular Android apps by attacking Android users.

These latest actions imply complex but relatively increased spyware conformity with older and modern versions of Android, revealing the group’s adaptability and continuous drive to widen its attack surface against Indian targets.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

CapraRAT As Android Apps

The code of this malware contains obfuscated URLs and utilizes WebView to launch YouTube and CrazyGames[.]com. The “Sexy Videos” app still uses social engineering tactics centered on romance.

“TikTok” is a preloaded query on one app that launches YouTube with a search “Tik Toks.” Another, labeled as “Weapons”, opens the Forgotten Weapons YouTube channel while the third one called “Crazy Games” loads CrazyGames[.]com.

SentinelLabs researchers said this change in CapraRAT’s modus operandi demonstrates its flexibility and employment of genuine platforms as smokescreens for malicious activities, consequently maintaining its core function of accessing sensitive device permissions.

The latest CapraTube campaign continues with the same old romance-themed social engineering using such apps. These apps open YouTube and run theme-related searches.

Although some previously requested permissions have been removed, this malware asks for a lot of dangerous permissions during monitoring.

Android 8.0 (Oreo) and above versions are now being targeted compared to the September 2023 campaign to make them more compatible with modern devices.

Still, they ask for suspicious permissions despite operating well on new Android versions. Consequently, a new WebView class has been added to retain compatibility with older Android versions.

Even after updating these aspects, malware’s core functionality remains largely unchanged as they focus on surveillance capabilities.

The spyware application CapraRAT is initiated through MainActivity and exploits the TCHPClient class for malicious activities. It includes functions for audio streaming, call recording, contact logging, file browsing, and SMS sniffing.

These kinds of malware use particular hostnames and IP addresses to communicate with their C2 servers, some of which are connected to other malware like CrimsonRAT.

The latest updates aim to enhance the software’s reliability and ensure its compatibility with newer Android versions.

The social engineering tactics employed by this malware target specific groups, such as mobile gamers or people who love guns.

Users should pay attention to app permissions they give during installations and be cautious about unnecessary requests for access.

Incident responders must keep an eye on specific network indicators and method names related to CapraRAT.

IoCs

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files