An emerging threat in the realm of cybercrime is the remote access Trojan (RAT) known as Mirax, which has recently been identified as targeting Android devices in Spanish-speaking countries. This sophisticated malware is making waves by propagating fraudulent advertisements on Meta-owned applications, serving as an initial access point for cybercriminals.
Advanced Capabilities and Distribution Methods
First detected in early March by Outpost24’s KrakenLabs, Mirax boasts advanced capabilities that allow threat actors to interact with compromised devices in real time. Once infiltrated, these devices are converted into residential proxy nodes through advertisements on platforms such as Facebook, Instagram, Messenger, and Threads. According to research from Cleafy, the RAT relies on SOCKS5 protocol support and Yamux multiplexing to establish proxy channels, thereby uncovering the victim’s IP address.
Mirax, also referred to as Mirax Bot, is equipped with a range of functionalities that include:
- Capturing keystrokes
- Stealing photos and sensitive data, including lock screen details
- Executing commands and monitoring user activity
The malware employs overlay pages that mimic legitimate applications to steal user credentials or display misleading notifications. Its distribution is cleverly orchestrated through attack chains that leverage Meta ads to promote malicious dropper app web pages, effectively tricking unsuspecting users into downloading them.
While Meta platforms serve as the primary access point for Mirax, the malware also utilizes GitHub as a dropper for malicious APK files. It offers two options for crypters—Virbox or Golden Crypt—allowing for further obfuscation of its operations. Upon installation, users are prompted to enable installations from “unknown sources,” facilitating a multi-stage operation designed for evasion. The malware cleverly disguises itself behind video playback features, encouraging victims to enable accessibility services that grant Mirax deeper access.
Cybercrime as-a-Service
In a notable twist, KrakenLabs has observed a threat actor operating under the Mirax Bot name offering a private malware-as-a-service (MaaS) campaign on illicit forums. Subscription prices start at ,500 for a three-month package, with a variant version available for ,750 per month, albeit with fewer features.
Cleafy researchers have characterized this MaaS offering as “highly controlled” and “exclusive,” accessible only to a select group of affiliates. The firm noted that access appears to be prioritized for Russian-speaking actors with established reputations within underground communities. This indicates a deliberate strategy to maintain operational security and enhance the effectiveness of their campaigns.
