CapraRAT Mimics As Popular Android Apps Attacking Android Users

Transparent Tribe (aka APT36) has been active since 2016, focusing on social engineering strategies to target Indian government and military personnel.

The CapraTube campaign of Transparent Tribe (aka APT36) was revealed in September 2023, in which threat actors employed weaponized Android apps posing as YouTube, mostly in dating scenarios.

Cybersecurity researchers at SentinelLabs recently discovered that the CapraRAT has been mimicking popular Android apps by attacking Android users.

These latest actions imply complex but relatively increased spyware conformity with older and modern versions of Android, revealing the group’s adaptability and continuous drive to widen its attack surface against Indian targets.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

CapraRAT As Android Apps

The code of this malware contains obfuscated URLs and utilizes WebView to launch YouTube and CrazyGames[.]com. The “Sexy Videos” app still uses social engineering tactics centered on romance.

“TikTok” is a preloaded query on one app that launches YouTube with a search “Tik Toks.” Another, labeled as “Weapons”, opens the Forgotten Weapons YouTube channel while the third one called “Crazy Games” loads CrazyGames[.]com.

New CapraRAT APKs (Source – Sentinel Labs)

SentinelLabs researchers said this change in CapraRAT’s modus operandi demonstrates its flexibility and employment of genuine platforms as smokescreens for malicious activities, consequently maintaining its core function of accessing sensitive device permissions.

The latest CapraTube campaign continues with the same old romance-themed social engineering using such apps. These apps open YouTube and run theme-related searches.

Although some previously requested permissions have been removed, this malware asks for a lot of dangerous permissions during monitoring.

Android 8.0 (Oreo) and above versions are now being targeted compared to the September 2023 campaign to make them more compatible with modern devices.

Still, they ask for suspicious permissions despite operating well on new Android versions. Consequently, a new WebView class has been added to retain compatibility with older Android versions.

Even after updating these aspects, malware’s core functionality remains largely unchanged as they focus on surveillance capabilities.

The spyware application CapraRAT is initiated through MainActivity and exploits the TCHPClient class for malicious activities. It includes functions for audio streaming, call recording, contact logging, file browsing, and SMS sniffing.

These kinds of malware use particular hostnames and IP addresses to communicate with their C2 servers, some of which are connected to other malware like CrimsonRAT.

The latest updates aim to enhance the software’s reliability and ensure its compatibility with newer Android versions.

The social engineering tactics employed by this malware target specific groups, such as mobile gamers or people who love guns.

Users should pay attention to app permissions they give during installations and be cautious about unnecessary requests for access.

Incident responders must keep an eye on specific network indicators and method names related to CapraRAT.

IoCs

IoCs  (Source – Sentinel Labs)

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitve Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

12 minutes ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

2 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

2 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

2 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago