CapraRAT Mimics Popular Apps to Attack Android Users

CapraRAT Mimics Popular Apps to Attack Android Users

Transparent Tribe (aka APT36), active since 2016, uses social engineering to target Indian government and military personnel. Recently, their CapraRAT has been mimicking popular Android apps to attack Android users, showing adaptability and expanding their espionage efforts against Indian targets.

All about CapraRAT

The malware uses obfuscated URLs and WebView to open YouTube and CrazyGames[.]com. In addition, apps like “Sexy Videos” employ social engineering tactics centered on romance. Meanwhile, others, such as “TikTok” and “Weapons,” direct users to specific YouTube channels or gaming sites like CrazyGames[.]com.

Source – Sentinel Labs

SentinelLabs researchers noted that CapraRAT’s evolving tactics highlight its adaptability. By using legitimate platforms as covers for malicious activities, the malware maintains access to sensitive device permissions.

The latest CapraTube campaign continues its romance-themed social engineering through these apps, which open YouTube and perform related searches. Despite removing some previously requested permissions, the malware still demands numerous dangerous permissions during monitoring.

Targeting Android 8.0 (Oreo) and newer versions contrasts with the September 2023 campaign, thereby enhancing compatibility with modern devices. However, suspicious permissions are still requested despite these updates. As a result, a new WebView class has been added to support older Android versions, aiming to maintain functionality across different platforms.

Despite updates, CapraRAT’s core functionality, centered on surveillance, remains largely unchanged. Initiated through MainActivity and utilizing the TCHPClient class, it performs malicious activities such as audio streaming, call recording, contact logging, file browsing, and SMS sniffing. Moreover, these capabilities underscore its persistent focus on gathering sensitive information.

These variants communicate with C2 servers via specific hostnames and IP addresses, some of which are linked to threats like CrimsonRAT. Furthermore, recent updates focus on enhancing software reliability and compatibility with newer Android versions.

The malware employs social engineering tactics targeting groups like mobile gamers or firearms enthusiasts.

Users should carefully review app permissions during installation to avoid unnecessary access requests. Additionally, incident responders must vigilantly monitor network indicators and method names associated with CapraRAT.

IoCs – CapraRAT


28bc3b3d8878be4267ee08f20b7816a6ba23623eTikTok signed.apk
c307f523a1d1aa928fe3db2c6c3ede6902f1084bCrazy Game signed.apk
dba9f88ba548cebfa389972cddf2bec55b71168bSexy Videos signed.apk
fff24e9f11651e0bdbee7c5cd1034269f40fc424Weapons signed.apk

Network Indicators

shareboxs[.]netC2 domain
173[.]212[.]206[.]227Resolved C2 IP address, hosts
173[.]249[.]50[.]243Hardcoded failover C2 IP address

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!