In the realm of cybercrime, a threat actor by the name of Transparent Tribe is rapidly spreading the CapraRAT spyware by disguising it as popular Android apps. Media reports claim that these attacks are part of a larger social engineering campaign targeting individuals of interest.
In this article, we’ll dive into the details of these attacks and learn how the CapraRAT spyware functions. Let’s begin!
Attack campaigns using the CapraRAT spyware were initially discovered by SentinelOne in September 2023. This series of attacks are being dubbed the CapraTube campaign. As part of the initial discovery it was identified that threat actors behind the attacks were weaponizing Android apps and masking them as popular apps like YouTube.
These weaponized apps were then used as a distribution medium for spyware called CapraRAT. It’s worth mentioning here that this spyware is a modified version of the AndroRAT and has capabilities allowing it to capture sensitive information. Transparent Tribe, the threat actor group behind these attacks, is expected to be of Pakistani origins.
Media reports have claimed that the cybercrime group has leveraged the CapraRAT for around two years. In addition, the targets for the threat actor include the Indian government and military personnel. The group is known for having a history of using spear-phishing and watering hole attacks to deliver spyware.
It has also been identified that CapraRAT spyware attacks function based on similar techniques but have advanced capabilities. Shedding light on these techniques and capabilities, Alex Delamotte, a cybersecurity researcher, has stated that:
“The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximize the spyware’s compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android.”
Some of the most recent malicious application APKs identified by the cybersecurity research firm include:
As far as the attack functionality is concerned, the CapraRAT spyware uses WebView to launch a URL. The URL is either directed to YouTube or CrazyGames[.]com, a mobile gaming platform. Once the target is on one of these platforms, the CapraRAT spyware abuses the acquired permissions to access sensitive data that may include:
In addition to accessing such data, it can also be used to record audio or video, take screenshots, and make phone calls.
Reports claim that the spyware is being used for surveillance purposes since permissions such as REQUEST_INSTALL_PACKAGES, READ_INSTALL_SESSIONS, and GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS are not requested nor acquired.
The use of such techniques indicate that threat actors using malware for malicious intents have become more sophisticated and their attacks are now more severe than before.
The CapraRAT spyware campaign by Transparent Tribe illustrates the increasing sophistication of cyber espionage tactics. By disguising malware as popular Android apps, these threat actors effectively exploit social engineering to target high-profile individuals.
This incident underscores the critical need for enhanced cybersecurity measures, including vigilant app verification and continuous monitoring. Using advanced cybersecurity measures is essential to defend against such evolving threats and protect sensitive information.
The sources for this piece include articles in The Hacker News and SC Magazine.
The post CapraRAT Spyware Masks As Popular Android Apps appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/caprarat-spyware-masks-as-popular-android-apps/