A politically motivated advanced persistent threat (APT) group has expanded its malware arsenal to include a new remote access trojan (RAT) in its espionage attacks aimed at Indian military and diplomatic entities.
Called CapraRAT by Trend Micro, the implant is an Android RAT that exhibits a high “degree of crossover” with another Windows malware known as CrimsonRAT that’s associated with Earth Karkaddan, a threat actor that’s also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe.
The first concrete signs of APT36’s existence appeared in 2016 as the group began distributing information-stealing malware through phishing emails with malicious PDF attachments targeting Indian military and government personnel. The group is believed to be of Pakistani origin and operational since at least 2013.
The threat actor is also known to be consistent in its modus operandi, with the attacks predominantly banking on social engineering and a USB-based worm as entry points. Among common elements in the group’s arsenal is a Windows backdoor called CrimsonRAT that allows the attackers extensive access to compromised systems, although recent campaigns have evolved to deliver ObliqueRAT.
CrimsonRAT was created as a.NET Binary whose primary purpose is to extract information from target Windows systems. This includes screenshots and keystrokes.
The new addition to its toolset is yet another custom Android RAT that’s deployed by means of phishing links. CapraRAT is disguised to look like a YouTube application and is a modified version AndroRAT. It has a number of data exfiltration capabilities, such as the ability to extract victims’ location, their phone logs and contact information.
This is far from the first time the hacking group has used Android RATs. In May 2018, human rights defenders in Pakistan were targeted by Android spyware named StealthAgent to intercept phone calls and messages, siphon photos, and track their whereabouts.
Then in 2020, attack campaigns mounted by Transparent Tribe involved leveraging military-themed lures to drop a modified version of the AhMyth Android RAT that masqueraded as a porn-related app and a fake version of the Aarogya Setu COVID-19 tracking app.
To prevent such attacks users should be cautious about opening unsolicited email, not clicking links, downloading attachments or clicking on emails from unknown senders and to only install apps from trusted sources.