An advanced persistent threat (APT) group known as Transparent Tribe, believed to be linked to Pakistan, has been linked to an ongoing cyberespionage campaign targeting Android users in India and Pakistan using a backdoor. CapraRAT.
“Transparent Tribe distributed the Android CapraRAT backdoor via Trojan secure messaging and calling apps called MeetsApp and MeetUp,” ESET said in a report shared with The Hacker News.
Up to 150 victims are estimated to have been targeted, possibly with a military or political bent, and the malware (com.meetup.app) can be downloaded from fake websites masquerading as official distribution centers for these apps.
It is suspected that the targets are lured by a honey trap romance scam, where the threat actor approaches the victims through another platform and tricks them into installing the malicious apps under the pretense of “secure” messaging and calling.
However, in addition to offering the promised functionality, the apps also implant CapraRAT, a modified version of the open-source AndroRAT first documented by Trend Micro in February 2022 that overlaps with the Windows malware known as CrimsonRAT.
The backdoor has many features that allow you to capture screenshots and photos, record phone calls and ambient sounds, and exfiltrate other sensitive information. You can also make calls, send SMS messages and receive commands to download files.
However, users need to create an account by linking their phone numbers and completing an SMS verification step to access the app’s features.
Discover the latest malware evasion tactics and prevention strategies
Are you ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and be a hero in the fight against zero patient infections and zero-day security incidents!
RESERVE YOUR SPOT
The Slovakian cybersecurity company said the campaign was narrowly targeted and found no evidence that the apps were available on the Google Play Store.
Transparent Tribe, also known as APT36, Operation C-Major and Mythic Leopard, was recently attributed to another series of attacks targeting Indian government organizations with malicious versions of a two-factor authentication solution called Kavach.
The findings come weeks after cybersecurity firm ThreatMon launched a detailed phishing campaign by SideCopy actors targeting Indian government agencies with the aim of introducing an updated version of the backdoor known as ReverseRAT.
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/adn/5253HTE7EZH2NMXZJOC5GPB5O4.jpg "I just got dumped by my much younger girlfriend and it still stings")
