A number of risk actors, together with cyber espionage teams, are using an open-source Android distant administration instrument referred to as Rafel RAT to satisfy their operational aims by masquerading it as Instagram, WhatsApp, and varied e-commerce and antivirus apps.
“It supplies malicious actors with a strong toolkit for distant administration and management, enabling a spread of malicious actions from information theft to machine manipulation,” Examine Level stated in an evaluation revealed final week.
It boasts a variety of options, equivalent to the power to wipe SD playing cards, delete name logs, siphon notifications, and even act as ransomware.
The usage of Rafel RAT by DoNot Crew (aka APT-C-35, Brainworm, and Origami Elephant) was beforehand highlighted by the Israeli cybersecurity firm in cyber assaults that leveraged a design flaw in Foxit PDF Reader to trick customers into downloading malicious payloads.
The marketing campaign, which came about in April 2024, is alleged to have utilized military-themed PDF lures to ship the malware.
Examine Level stated it recognized round 120 completely different malicious campaigns, some focusing on high-profile entities, that span varied international locations like Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S.
“The vast majority of victims had Samsung telephones, with Xiaomi, Vivo, and Huawei customers comprising the second-largest group among the many focused victims,” it famous, including a minimum of 87.5% of the contaminated gadgets are operating out-of-date Android variations that not obtain safety fixes.
Typical assault chains contain using social engineering to control victims into granting the malware-laced apps intrusive permissions so as to hoover delicate information like contact data, SMS messages (e.g., 2FA codes), location, name logs, and the record of put in purposes, amongst others.
Rafel RAT primarily makes use of HTTP(S) for command-and-control (C2) communications, however it could additionally make the most of Discord APIs to contact the risk actors. It additionally comes with an accompanying PHP-based C2 panel that registered customers can leverage to situation instructions to compromised gadgets.
The instrument’s effectiveness throughout varied risk actors is corroborated by its deployment in a ransomware operation carried out by an attacker seemingly originating from Iran, who despatched a ransom be aware written in Arabic by an SMS that urged a sufferer in Pakistan to contact them on Telegram.
“Rafel RAT is a potent instance of the evolving panorama of Android malware, characterised by its open-source nature, intensive function set, and widespread utilization throughout varied illicit actions,” Examine Level stated.
“The prevalence of Rafel RAT highlights the necessity for continuous vigilance and proactive safety measures to safeguard Android gadgets towards malicious exploitation.”