Sophisticated RAT capable of performing Ransomware Attacks
While conducting our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an opendir website “hxxp://blindajeseguro[.]online,” which was hosting a malicious Android application.
Upon analyzing the application, we observed that the Threat Actor (TA) was using the source code of the “Pro” version of AIRAVAT RAT, which the TA may have bought from the AIRAVAT author.
AIRAVAT is a multifunctional Android RAT with a web panel without port forwarding. The source code of AIRAVAT’s basic version is available on Github, while the Pro version’s source code is not publicly available.
The below figure compares the malware’s Basic and Pro features.
Our research has identified over 100 samples related to this RAT since April 2022 alone, indicating that the malware is already being widely deployed and distributed.
Cyble Research Labs continuously monitors applications using this open-source RAT project to perform malicious activities. In April 2022, we came across the Telegram channel where a TA named “Sphanter” was selling an Android RAT for $199. The TA posted multiple malicious APK files, including “Teat version.apk,” which contained the source code to the Pro version of AIRAVAT RAT.
Typically, the TA uses open-source Github projects or the purchased Pro version(s) from the original author, modifies the source code according to their requirements, and sells the malware on different platforms.
During our research, we observed AIRAVAT RAT being promoted on various cybercrime forums with the disclaimer
“TO BE USED FOR EDUCATION PURPOSE ONLY.”
Our research indicates that the RAT has an extremely simplified structure and is easy to set up despite having immensely powerful functionalities, which could explain its popularity among TAs who are purchasing and using it. These functionalities have been discussed in detail in the Technical Analysis section.
Technical Analysis
APK Metadata Information 
- Package Name: sigma.male
- SHA256 Hash: ab91fcca30556555b8fe6128075c80c3bd906eed5facdc57f2e493ddbb37f779
 
Figure 5 shows the metadata information of the malicious application. 
Manifest Description
The malicious app mentions 21 permissions in the manifest file, of which the TA takes advantage of 10. The malware’s harmful permission request is as follows:
| Permission | Description |
| WRITE_CALL_LOG | Allows an application to write (but not read) the user’s call log data. |
| CAMERA | Required to be able to access the camera device. |
| READ_CALL_LOG | Allows an application to read the user’s call log. |
| READ_CONTACTS | Allows an application to read the user’s contact data. |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage. |
| WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage. |
| RECORD_AUDIO | Allows an application to record audio. |
| READ_SMS | Allows an application to read SMS messages. |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call |
Source Code Review
The application is not visible on the device as it has no icon and runs silently in the background after installation. The malicious application further connects to the firebase Command and Control (C&C) server to receive the commands from TA to perform the specific attack on the victim’s device, as shown below.
The getAllSMS() method is used by the malware to collect all the SMS data from the victim’s device and send it to the C&C server.
After receiving the command Dmpcall, the malware collects the call log data and sends it to the C&C server, as shown below.
The malware can receive different shell commands from the C&C server and execute them on the victim’s device. TAs execute these shell commands to perform actions such as opening/terminating applications, monitoring network, and file activities, etc.
The malware has the code to send an SMS from the victim’s device, whereas the recipient number and SMS content are provided by the TA’s C&C server, as shown in the image below.
The malware uses the method _voicere() to start recording audio using a media recorder and send these recordings to the TA’s C&C server.
The TA sends the command ransom1 to encrypt the files on the victim’s machine; after file encryption, the ransom message, including the ransom amount, is displayed on the victim’s device via notifications.
Once the victim pays the ransom amount, the TA can send a command ransom2 to decrypt the victim’s files.
The malware uses the code below to capture images using the victim’s device camera and to send the captured images to the C&C server.
The TA sends the command delfile along with the file name to delete specific files on the victim’s device, as shown below.
The TA can use the command openweburi to send phishing URLs to steal the user’s sensitive information, such as credentials.
Along with the aforementioned features, the malware can also change the wallpaper of the victim’s device, play random music, vibrate the device, perform keylogging, and gather SIM card information.
The commands used by the malware are:
| Command | Description |
| dmpsms | Collects SMS data |
| dmpcall | Collects Call logs |
| dmpcont | Collects Contact list |
| getpackages | Collects installed application package names |
| shellcmd | Execute shell commands |
| deviceinfo | Collects device info |
| toasttext | Collects toast notification data |
| ttsdev | Executes text to speech |
| vibratedev | Vibrates device |
| playsmusic | Play random music |
| sendsms | Sends SMS from victims’ device |
| changewall | Launches the defined URL |
| voicerec | Records audio |
| encrypt | Encrypts files |
| decrypt | Decrypts files |
| ransom1 | Ask for ransom and encrypt files |
| ransom2 | Decrypt files after receiving |
| capturecam | Captures camera images |
| delfile | Deletes file from victim’s device |
| simcardinfo | Collets Simcard info |
| openweburi | Open phishing page |
Conclusion
Telegram has emerged as a rising marketplace for TAs to sell malware and run different malicious campaigns. Our research indicated that TAs leverage open-source projects and sell them on Telegram channels and other platforms for financial gain. In the past, we have seen the TAs using the leaked source code of several tools such as Spynote, SpyMax RAT, and many more.
Cyble Research Labs continuously monitors the use of such open-source projects being leveraged by TAs for any malicious intent, and we will keep our readers aware and informed.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1432 | Access Contact List |
| Collection | T1433 | Access Call Logs |
| Collection | T1429 | Capture Audio |
| Collection | T1533 | Data from Local Storage |
| Collection | T1512 | Capture Camera |
| Impact | T1447 | Delete Device Data |
| Input Capture | T1417 | Input Capture |
| Collection | T1436 | Commonly used ports |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| ab91fcca30556555b8fe6128075c80c3bd906eed5facdc57f2e493ddbb37f779 | SHA256 | Hash of the analyzed APK file |
| faed58d2c8e8931e3e78cda0835d3851d13e295e | SHA1 | Hash of the analyzed APK file |
| 6fac9478a54847894dd18a4dd872193e | MD5 | Hash of the analyzed APK file |
| hxxp://blindajeseguro[.]online/ | URL | Malware distribution site |
| hxxps://jhon-30119-default-rtdb[.]firebaseio.com | URL | C&C server |
| 1d3be2cf4af7b2a976f17c6e3f09c925171c7496706aefd4518cd0de772bf2e6 | SHA256 | Hash of the analyzed APK file |
| d343bd8e54d0a5fbbb5ef95ba29e11169e0a6ed6 | SHA1 | Hash of the analyzed APK file |
| 9518cc7b90498c97fa2644689cd7af05 | MD5 | Hash of the analyzed APK file |
| e2d37779a91da5bff2a066a614cb03d77fb2e17e36660ca838eab92b82d61440 | SHA256 | Hash of the analyzed APK file |
| d9eaf807b464dcd10ef4adf56253e5fc8d84cece | SHA1 | Hash of the analyzed APK file |
| c1b1be3d2060ba12de2bf1cab7a779a2 | MD5 | Hash of the analyzed APK file |
| hxxps://dragomitch[.]com/ | URL | Malware distribution site |
