CapraRAT Trojan: How Hackers Get into Your Life while You watch YouTube

[Carding]

The Trojan turns the phones of government employees into a listening device.

The hacker group APT36 (Transparent Tribe )was seen using at least three Android apps that mimic YouTube to infect devices with a Remote Access Trojan called CapraRAT.

The campaign was discovered by the SentinelLabs research laboratory, which warned organizations and individuals associated with military and diplomatic structures in India and Pakistan to be extremely careful with YouTube clients hosted on third-party sites.

How CapraRAT works

Once installed on the victim's device, CapraRAT can collect data, record audio and video, and access confidential information. In essence, it is a tool for cyber espionage. Among the Trojan's features:

• Record audio and video using the device's microphone and cameras;
• Collecting SMS and MMS messages, as well as call logs;
• Initiating phone calls and sending SMS;
• Creating screenshots of the device screen;
• Change critical system settings, including GPS and network settings;
• Modification or deletion of files in the device's file system.

Malicious APKs are distributed outside of Google Play, and victims are most likely exposed to social engineering to download and install the Trojan. During installation, apps ask for a lot of risky permissions, which the victim can grant without suspicion, assuming that this is a regular YouTube client.

Requested App Permissions

SentinelLabs notes that the latest versions of CapraRAT have a number of improvements over the previous ones, which indicates the continuous development of malware. Despite relatively weak operational security, which makes hackers ' activities relatively easy to detect, the group is constantly updating its tools, which makes their threat more elusive.

SentinelLabs notes that while the group's weak operational security makes campaigns and tools easily identifiable, hackers ' continuous introduction of new applications provides the ability to constantly infect new victims.

The Transparent Tribe group has recently been linked to a number of other attacks targeting Indian government organizations using malicious versions of a two-factor authentication solution called Kavach.

CapraRAT was previously used in the APT36 cyber espionage campaign targeting Indian and Pakistani Android users. According to preliminary estimates, the victims were about 150 people. The malware could be downloaded from fake phishing websites, and the app itself is definitely a parody of WhatsApp by its interface and name.

 

[Carding]

SentinelOne researchers have discovered new versions of the CapraRAT trojan, which mimics YouTube and is used by the Pakistani Transparent Tribe to spy on Android devices.

Tracked as APT36 or Mythic Leopard, it has been active since at least 2016 and uses malicious or embedded Android apps to attack Indian defense and government agencies, Kashmir-related targets, and human rights defenders in Pakistan.

CapraRAT is a highly invasive tool that gives an attacker control over most of the data on infected Android devices. In service with ART since 2018, being the most important component in the arsenal of tools that allow you to generally penetrate Windows, Linux and Android systems.

RAT is distributed in the form of troyanized dating apps under the MeetsApp and MeetUp brands through malicious sites using social engineering.

According to SentinelOne, the last three CapraRAT samples seem to use the same distribution scheme. APKs were uploaded to VirusTotal in April, July and August 2023, two of them were called YouTube and one Piya Sharma.

during the installation process, many permissions are requested, some of which the victim can treat without suspicion

The samples borrow the YouTube icon and ask for a lot of permissions during installation, which the victim usually treats without any suspicion.

When running, the malware launches a WebView object to load the YouTube site, so as not to arouse suspicion. The interface thus simulates a real application. However, it lacks some features that are available on the real platform.

Once installed on the victim's device, the malware can make recordings from microphones and cameras, collect messages and call logs, send and block messages, make phone calls, take screenshots, change GPS and network settings, and modify files.

Transparent Tribe keeps TTPs constant for a long time, and the relatively low OpSec level allows you to quickly attribute its tools.

For example, the C2 addresses that CapraRAT interacts with are hard-coded in the application configuration file and are not directly linked to past Transparent Tribe campaigns.

The YouTube imitation is a new addition to the already steady trend of using Android apps as spyware and distributing them to targets via social media.

SentinelLabs notes that the CapraRAT variants discovered during the recent campaign have improved characteristics compared to earlier ones, which demonstrates evolution and adaptability, and the introduction of new applications gives ART an indisputable advantage, allowing it to reach all new potential victims.