android-malware CapraRat

The Indian government, military targets by new CapraRAT malware.

The Indian government, military targeted by new CapraRAT malware.

A politically motivated advanced persistent threat group has expanded its malware arsenal with a new remote access trojan (RAT) in its espionage attacks against Indian military and diplomatic entities.

Trend Micro’s CapraRAT is an Android RAT that exhibits high “degrees of crossover” with another Windows malware known as CrimsonRAT, which is linked to Earth Karkaddan, a threat actor also known as APT36, Operation C-Major, PROJECT, Mythic Leopard, and Transparent Tribe.

The first signs of APT36’s existence emerged in 2016 when the group began distributing information-stealing malware via phishing emails with malicious PDF attachments to the Indian military and government personnel. It is believed that the group is of Pakistani origin and that it has been active since at least 2013.

This threat actor is also known for its consistent attack methodology, relying heavily on social engineering and a USB-based worm for entry points. A common element of the group’s arsenal is a Windows backdoor called CrimsonRAT, which gives them extensive access to compromised systems, although recent campaigns have evolved to deliver ObliqueRAT.

As a .NET binary, CrimsonRAT’s primary purpose is to obtain and exfiltrate information from target Windows systems, such as screenshots, keystrokes, and files from removable drives, and upload them to the attacker’s command-and-control server.

The latest addition to its toolkit is yet another custom Android RAT that is deployed via phishing links. According to security experts, CapraRAT is a modified version of an open-source RAT called AndroRAT and can harvest victims’ locations, phone logs, and contact information.

This is not the first time the hacking group has used Android RATs. Human rights defenders in Pakistan were targeted by Android spyware named StealthAgent in May 2018 to intercept phone calls and messages, siphon photos, and track their locations.

In 2020, Transparent Tribe launched attack campaigns leveraging military-themed lures to drop variants of the AhMyth Android RAT masquerading as a porn-related app and a fake version of the Aarogya Setu COVID-19 tracking app.