An advanced persistent threat (APT) group having political ambitions has added a new remote access trojan (RAT) to its malware arsenal. The RAT is an espionage attack targeting Indian military and diplomatic entities.
Trend Micro has called the malware CapraRAT; CapraRAT is an android RAT that shares many similarities with CrimsonRAT, another windows malware. The article states the similarities as a high “degree of crossover”. CrimsonRAT is linked to Earth Karkaddan, a threat actor also known under the moniker APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe.
APT36’s was first tracked in 2016 when the group began spreading information-stealing malware through phishing emails using malicious PDF attachments. The emails targeted Indian military and government personnel and the group, thought to be of Pakistani origin and operating since 2013.
The threat actors rely on social engineering and a USB-based worm to enter the systems. The group, a common feature, targets a Windows backdoor called CrimsonRAT that allows the attackers to get into the compromised systems. The recent attacks have developed to deliver ObliqueRAT.
CrimsonRAT is designed as a .NET binary whose main purpose is to acquire information from targeted Windows systems, information like screenshots, keystrokes, and files from removable drives. The acquired information is then uploaded to the attacker’s command-and-control server.
The new malware is a customised Android RAT, Android RAT that’s planted through phishing links. CapraRAT, concealed as a YouTube app, appears to be an altered version of an open-source RAT called AndroRAT. CapraRAT has various data exfiltration functions like harvesting victims’ locations, phone logs, and contact information.
Previously, many hacking groups have used Android RATs. In May 2018, human rights defenders in Pakistan were attacked by Android spyware, Stealth Agent. StealthAgent had intercepted phone calls, messages, siphoned photos, and tracked whereabouts.
Then in 2020, attack campaigns mounted by Transparent Tribe involved leveraging military-themed lures to drop a modified version of the AhMyth Android RAT that masqueraded as a porn-related app and a fake version of the Aarogya Setu COVID-19 tracking app.
To mitigate such attacks, users are advised to watch out for unsolicited emails, avoid clicking on links or downloading email attachments from unknown senders, install apps only from trusted sources, and exercise caution when it comes to granting permissions requested by the apps.