CapraRAT Spyware Campaigns Initial Discovery
Attack campaigns using the CapraRAT spyware were initially discovered by SentinelOne in September 2023. This series of attacks are being dubbed the CapraTube campaign. As part of the initial discovery it was identified that threat actors behind the attacks were weaponizing Android apps and masking them as popular apps like YouTube.
Malware-laced Android Apps
It has also been identified that CapraRAT spyware attacks function based on similar techniques but have advanced capabilities. Shedding light on these techniques and capabilities, Alex Delamotte, a cybersecurity researcher, has stated that:
“The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximize the spyware’s compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android.”
Some of the most recent malicious application APKs identified by the cybersecurity research firm include:
- Crazy Game (com.maeps.crygms.tktols)
- Sexy Videos (com.nobra.crygms.tktols)
- TikToks (com.maeps.vdosa.tktols)
- Weapons (com.maeps.vdosa.tktols)
CapraRAT Spyware Attack Functionality
As far as the attack functionality is concerned, the CapraRAT spyware uses WebView to launch a URL. The URL is either directed to YouTube or CrazyGames[.]com, a mobile gaming platform. Once the target is on one of these platforms, the CapraRAT spyware abuses the acquired permissions to access sensitive data that may include:
- Call logs.
- Messages.
- Locations.
In addition to accessing such data, it can also be used to record audio or video, take screenshots, and make phone calls.
Reports claim that the spyware is being used for surveillance purposes since permissions such as REQUESTINSTALLPACKAGES, READINSTALLSESSIONS, and GETACCOUNTS, AUTHENTICATEACCOUNTS are not requested nor acquired.
The use of such techniques indicate that threat actors using malware for malicious intents have become more sophisticated and their attacks are now more severe than before.
Conclusion
The CapraRAT spyware campaign by Transparent Tribe illustrates the increasing sophistication of cyber espionage tactics. By disguising malware as popular Android apps, these threat actors effectively exploit social engineering to target high-profile individuals.
This incident underscores the critical need for enhanced cybersecurity measures, including vigilant app verification and continuous monitoring. Using advanced cybersecurity measures is essential to defend against such evolving threats and protect sensitive information.
