Cyfirma finds out who your EVLF DEV is.
The criminal, known in the cyber underground under the pseudonym EVLF DEV, sells two types of CraxsRAT malware. According to researchers, the hacker has been based in Syria for 8 years. On the distribution of Trojans, he managed to earn about $ 75,000.
Cybersecurity company Cyfirma also found out that for the last three years, the attacker mainly offers customers the "malware-as-a-service" (MaaS) model, that is, a commercial practice in which malware is provided as a service
RAT is one of the most dangerous Trojan viruses for the Android operating system. According to Cyfirma, EVLF DEV has already sold at least 100 lifetime licenses to use the program.
CraxsRAT provides high-level obfuscation ("darkening") of the code, allowing you to adapt it for a specific type of attack, including the ability to inject it into WebView.
The CraxsRAT builder also includes a quick installation option. It minimizes the number of permissions required to evade security systems. However, after installation, the buyer can activate additional permissions. An interesting feature is the so-called "super mod", which prevents the virus from being removed from the device.
On infected devices, CraxsRAT is able to detect geolocation, read and copy contacts, access the file system, as well as the user's messages and call history.
In the course of research, Cyfirma discovered an active Telegram channel with more than 10,000 subscribers belonging to EVLF DEV, as well as a cryptocurrency wallet that disclosed his financial activity. The company asked the wallet provider to temporarily freeze its assets.
After freezing the funds in the account, EVLF DEV created a discussion on the forum about cryptocurrencies, which allowed specialists to collect additional information about him, including his real name, various nicknames, IP address and email.
"Based on our investigation, we can state with a high degree of confidence that a person from Syria is still behind the activities of EVLF DEV," Cyfirma representatives stressed.
The criminal, known in the cyber underground under the pseudonym EVLF DEV, sells two types of CraxsRAT malware. According to researchers, the hacker has been based in Syria for 8 years. On the distribution of Trojans, he managed to earn about $ 75,000.
Cybersecurity company Cyfirma also found out that for the last three years, the attacker mainly offers customers the "malware-as-a-service" (MaaS) model, that is, a commercial practice in which malware is provided as a service
RAT is one of the most dangerous Trojan viruses for the Android operating system. According to Cyfirma, EVLF DEV has already sold at least 100 lifetime licenses to use the program.
CraxsRAT provides high-level obfuscation ("darkening") of the code, allowing you to adapt it for a specific type of attack, including the ability to inject it into WebView.
The CraxsRAT builder also includes a quick installation option. It minimizes the number of permissions required to evade security systems. However, after installation, the buyer can activate additional permissions. An interesting feature is the so-called "super mod", which prevents the virus from being removed from the device.
On infected devices, CraxsRAT is able to detect geolocation, read and copy contacts, access the file system, as well as the user's messages and call history.
In the course of research, Cyfirma discovered an active Telegram channel with more than 10,000 subscribers belonging to EVLF DEV, as well as a cryptocurrency wallet that disclosed his financial activity. The company asked the wallet provider to temporarily freeze its assets.
After freezing the funds in the account, EVLF DEV created a discussion on the forum about cryptocurrencies, which allowed specialists to collect additional information about him, including his real name, various nicknames, IP address and email.
"Based on our investigation, we can state with a high degree of confidence that a person from Syria is still behind the activities of EVLF DEV," Cyfirma representatives stressed.
