Cyble-Deep-Dive-Analysis-capraRAT

Deep Dive Analysis – capraRAT

APT 36 Targeting Indian Government Officials via Spyware

Cyble Research Labs has come across an article wherein security researchers have mentioned a new Android malware named capraRAT. This malware is used by an Advanced Persistent Threat (APT) group called APT36, a.k.a Transparent Tribe, which has been observed targeting the Indian Government and its Defence personnel.

APT36, also known as ProjectM, Copper Fieldstone, Earth Karkaddan, is a Pakistan-based Threat Actors (TA) group. In the past, the APT36 group has launched a fake version of the Aarogya Setu Application for malicious purposes. Aarogya Setu is an application developed by the Indian Government to track COVID-19 cases.

Our analysis indicates that upon successful execution, this malicious application can steal sensitive data such as contacts, call logs, SMSs, Location, take screenshots, record calls, and microphone audio, send SMSs, etc., from the victims’ devices.

Technical Analysis

APK Metadata Information

  • App Name:  Android Services
  • Package Name: com.example.appcode.appcode
  • SHA256 Hash: d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42

Figure 1 shows the metadata information of the application.

Figure 1 – App Metadata Information

The below figure shows the application icon and name displayed on the Android device.

Figure 2 – App Icon and Name

Upon opening the application, the malware hides its icon from the Android device’s screen and continuously communicates with the Command and Control (C&C) server hxxp://android.viral91[.]xyz/admin/webservices.

Figure 3 – App Communicates to C&C

We observed the similar domain hxxp://viral91[.]xyz had been used by Crimson RAT to target Windows machines. The TA behind Crimson RAT is also from APT36, which leads us to believe the same TAs are likely behind capraRAT.

Manifest Description

capraRAT requests the user for 21 different permissions, of which it abuses 12 permissions which are listed below.

PermissionsDescription
READ_SMSAccess SMSs from the victim’s device.
RECEIVE_SMSIntercept SMSs received on the victim’s device
READ_CALL_LOGAccess Call Logs
READ_CONTACTSAccess phone contacts.
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse.
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
ACCESS_FINE_LOCATIONThe app allows the device’s precise location using the Global Positioning System (GPS).
SEND_SMSAllows an application to send SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface to confirm the call.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the device’s external storage.
PROCESS_OUTGOING_CALLSAllows the app to process outgoing calls and modify the dialing number.

We observed that the defined launcher activity in the malicious app’s manifest file loads the application’s first screen, as shown below.

Figure 4 – Launcher Activity

Source Code Review

Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSs, Call logs, and location. Besides recording calls and microphone audio, the malware also deletes files, sends SMSs, makes calls, takes pictures from the camera, etc., based on the commands received from the C&C server.

The method hideApp() showcases the code used by the malware to hide its icon from the device screen, as shown in Figure 5.

Figure 5 – Code to Hide App Icon

The listContacts() method has been used to access the contacts data such as phone numbers and emails from the victim’s device, as shown below.

Figure 6 – Code to Collect Contacts Data

Through the listSMS() method, we identified that the malware collects SMSs from the device, as shown in the below figure.

Figure 7 – Code to Collect SMSs

The method listCallLog() depicts the malware’s ability to collect Call logs data from the device. Refer to Figure 8.

Figure 8 – Code to Collect Call Logs

The code snippet shown in the below image depicts the methods getLocByGPS()and getLocByNetwork(), which are used to collect device location from both the GPS and the connected network.

Figure 9 – Code to collect Device Location Data

The image below highlights the malware code that takes screenshots of the device’s screen and sends them to the C&C server based on the command received from the TA.

Figure 10 – Code to take Screenshots from the device

The image below shows the malware code to collect the device’s details such as phone number, IMEI, country code, operator details, etc.

Figure 11 – Code to collect Device Information

The malware also captures the pictures from the device’s front and back camera without the user’s knowledge.

Figure 12 – Code to Capture Images from Device Cameras

The method callRecording() shown in the below image depicts the malware’s ability to record calls.

Figure 13 – Code to Record Calls

The method micRecording() shown in the below image is used by the malware to record microphone audio from the infected device.

Figure 14 – Code to Record using Device Microphone

The sendSMS() method can be used to send text messages. The TA’s C&C will provide details such as the recipient’s mobile number and message content.

Figure 15 – Code to Send SMS

The below code snippet demonstrates the method gaveCall(), which can be used to make calls on any number provided by TA’s C&C.

Figure 16 – Code to Make Calls

The method updateApp() can be used to update the capraRAT malware.

Figure 17 – Code to Update App

The malware communicates with the malicious C&C server to receive the commands and sends sensitive information in response.

Figure 18 –  Malware’s Communication with C&C Server

We have listed the commands used by the TAs to control the infected device:

CommandDescription
smslogsGet SMS data
smsstopUnregister SMS Service
updateappUpdate the Malware App
capscreenTake Screenshots
gavecallProcess Outgoing Call
recordcalCall Record
recordmicMic Record
deleteFileDelete Files
sendsmsSend SMS

Conclusion

APT36 has been active since 2013 and uses various sophisticated malware in its attacks. capraRAT is one such malicious Android application used by the group which can perform Remote Access Trojan activities with the potential to steal Indian Government personnel’s sensitive data, including contacts, call logs, SMSs, Location, audio recordings, etc.

Given the sensitive nature of the data being accessed and the APT group suspected to be behind it, capraRAT could have severe national security implications for the Indian Diplomatic and Defense infrastructure.

TAs constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them. This situation makes it imperative for users to install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and your device OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1433Access Call Log
CollectionT1412Capture SMS Messages
CollectionT1432Access Contact List
CollectionT1429Capture Audio
CollectionT1512Capture Camera
CollectionT1533Data from Local System
CollectionT1430Location Tracking
Command and ControlT1436Commonly Used Port

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42SHA256capraRAT APK
hxxp://android.viral91[.]xyz/admin/webservicesURLC&C
Scroll to Top