ESET Romance Scam Research – IT Security Guru
ESET researchers have analyzed a cyberespionage campaign by the Transparent Tribe APT group, which distributes CapraRAT backdoors via Trojans and supposedly “secure” Android messaging apps that exfiltrate sensitive data of Android users mainly in India and Pakistan – presumably with a military or political bent. Victims may have been targeted through a honey trap romance scam, where they were first contacted on another platform and then convinced to use supposedly “safer” apps they were lured into installing. ESET researchers were able to determine the geolocation of more than 150 victims from India and Pakistan, as well as Russia, Oman and Egypt. The threat campaign has likely been active since July 2022.
“Victims were tricked into using MeetsApp or MeetUp. We’ve seen such honeytrap baits used by Transparent Tribe operators against their targets before. It is usually not difficult to find a mobile number or e-mail address that can be used for the first contact,” explained Lukáš Štefanko, researcher at ESET, who discovered the campaign. “The campaign was identified while analyzing another malware sample posted on Twitter.”
In addition to the native working chat features of the original MeetUp and MeetsApp apps, the Trojan versions also contain malicious code that ESET identified as the CapraRAT backdoor. Transparent Tribe, also known as APT36, is a cyber espionage group known to use CapraRAT. The back door can handle it it can record screenshots and photos, phone calls and ambient sounds, and filter out any other sensitive information. The backdoor can also accept commands to download files, make calls, and send SMS messages. The campaign is narrowly targeted and there is no indication that these apps were ever available on Google Play.
The CapraRAT is remotely controlled and executes commands received from the command and control server. Because the operators of these apps had poor operational security, victims’ personally identifiable information was exposed to our researchers over the open Internet. Information about the victims, such as their location, could be obtained.
Both apps are distributed through two similar websites that describe the apps as secure messaging and calling services. In other words, they are the official distribution centers for these applications. Before using the app, victims must create accounts that are linked to their phone number and require SMS verification. After creating an account, the app asks for additional permissions that allow the backdoor’s full functionality to work, such as access to contacts, call logs, SMS messages, external storage, and audio recording.
Transparent Tribe likely lures victims to install the app with romantic lures and continues to communicate with them using the malicious app to keep them on the platform and make their devices accessible to the attacker.