Executive Summary
Investigations at CyberGuard Labs has unearthed an intricate operation run by Transparent Tribe, a group suspected to be Pakistani cyber actors. This time, they have deployed their CapraRAT, a Mobile Remote Access Trojan (RAT), concealed within imitation YouTube Android apps. Transparent Tribe CapraRAT is not just invasive; it is a malicious tool that provides hackers nearly unchecked access to the infected Android devices.
Introduction
Transparent Tribe, also known as PROJECTM or Mythic Leopard, is infamous for its targeting of military and diplomatic personnel in India and Pakistan. Their reach has recently been extended to the Indian educational sector. This group has long utilized CapraRAT, an Android framework with hidden RAT functionalities, to compromise targeted mobile phones.
In early 2023, CapraRAT Android apps camouflaged as dating services were observed executing espionage activities. Now, these bad actors have refined their tactics, embedding their RAT into Android application packages (APKs) that impersonate YouTube apps.
Background: A Brief Recap on Transparent Tribe CapraRAT
Transparent Tribe primarily distributes Android apps through channels outside of the Google Play Store. They rely heavily on self-hosted websites and social engineering to lure users into downloading weaponized apps. One of the recently discovered APKs was found to connect to a YouTube channel belonging to Piya Sharma, a persona likely fabricated for further social engineering exploits.
CapraRAT is an extensive RAT with a plethora of functionalities that give hackers real-time control over the targeted devices. These include:
- Audio and video recording through front and rear cameras
- Accessing and sending SMS and MMS
- Logging phone calls
- Modifying system settings like GPS and network configurations
To understand the underlying mechanisms of these deceptive apps, our team at CyberGuard Labs undertook detailed static analysis of two YouTube-themed CapraRAT APKs.
Dissecting the Android APKs: An In-Depth Analysis
Originally, Trend Micro had speculated that CapraRAT might be loosely based on AndroRAT source code. We expanded on this by conducting static analyses on three YouTube-themed CapraRAT APKs. These APKs cleverly mimic YouTube by borrowing the YouTube icon, providing an experience that is almost identical to using the actual YouTube app but housed within a malicious framework.
Permissions: What the Apps Request
The most alarming observation during the installation process is the permissions the apps request. While some permissions like microphone access are expected for a YouTube-like app, others, like the ability to send and view SMS, are not. This discrepancy provides a hint of the malicious activities that these apps are capable of.
Main Activity: The Functionality Overview
The ‘MainActivity’ initiates a WebView object that loads YouTube’s website within the app, providing a very similar user experience to the native YouTube Android app but within a dangerous Trojan. This deceiving operation fools users into believing they are using the legitimate service, thereby reducing the chances of the app being uninstalled.
Key Components and Configuration: Transparent Tribe CapraRAT’s Architecture
CapraRAT’s core functionalities are housed in various Android files whose names differ depending on the specific app version. However, one consistent element we identified across different versions is the configuration file, often named ‘setting' or ‘settings'. This file contains metadata and other default configurations for CapraRAT.
Core Functionality: How CapraRAT Operates
At its core, CapraRAT uses an object called ‘mTCPService' to initialize its RAT functionalities. These activities are managed by an activity similar to the ‘Extra_Class' activity discovered in previous samples. This core class is responsible for running commands that perform the RAT's different functions.
Command and Control Infrastructure: A Sneak Peek
Our investigation also led us to discover Transparent Tribe’s Command and Control (C2) servers. The SERVERIP variable in CapraRAT’s configuration file holds the C2 server address, and the port can be converted from hexadecimal Big Endian format to decimal, offering further insights into their operation.
The Risks and Recommendations: Staying Safe
Transparent Tribe CapraRAT has evolved to become one of the most sophisticated malware strains with a low detection rate. Therefore, as individuals or organizations with potential interest in the India-Pakistan regions, it is crucial to:
- Avoid installing apps from sources other than Google Play Store.
- Be cautious of apps advertised on social media.
- Scrutinize app permissions.
- Refrain from installing third-party versions of apps already on your device.
SentinelOne’s Singularity Mobile offers comprehensive detection for CapraRAT.
Indicators of Compromise (IOC)
- Files Hashes – SHA1
- C2 Network Communications
Conclusion
Transparent Tribe continues to innovate in its deceitful tactics. The use of a YouTube-like app serves as a disturbing development, adding a new layer to the group's weaponization of Android applications. Awareness and due diligence are our strongest defenses against this ever-present threat.
By diving deep into the architecture and functionalities of Transparent Tribe CapraRAT, we hope to have shed light on the guile of these persistent actors and how to defend against them.
What is Transparent Tribe CapraRAT?
Transparent Tribe CapraRAT is a Remote Access Trojan (RAT) that primarily targets Android devices. It has gained notoriety for its data theft capabilities and its deceptive methods of entry, often masquerading as legitimate apps like YouTube.
Who is behind Transparent Tribe CapraRAT?
Transparent Tribe is the cyber-espionage group believed to be behind CapraRAT. They are known for their sophisticated attacks and are suspected to have nation-state backing, although the specifics are still under investigation.
How does Transparent Tribe CapraRAT infect Android devices?
CapraRAT typically infects devices through phishing emails, malicious links, or fake app downloads. Once installed, it gains various permissions that allow it to monitor the user's activity and steal sensitive data.
What kind of data can Transparent Tribe CapraRAT steal?
This RAT is capable of stealing a wide range of data, including but not limited to SMS messages, call logs, contacts, and even files stored on the device. More advanced versions can capture screenshots and record audio.
How can I protect myself from Transparent Tribe CapraRAT?
The most effective way to protect yourself is by only downloading apps from trusted sources like Google Play Store, being cautious with emails and links from unknown sources, and keeping your security software up-to-date.
Is my iPhone at risk?
Currently, Transparent Tribe CapraRAT is primarily focused on Android devices. However, it's always a good practice to stay vigilant and keep your device's operating system and security software up-to-date.
Has Transparent Tribe CapraRAT been used in any notable attacks?
Yes, it has been linked to various targeted attacks, particularly against government and military personnel. Specific incidents are still under confidentiality but have been acknowledged by cybersecurity firms.
Where can I find more information about Transparent Tribe CapraRAT?
How can I remove Transparent Tribe CapraRAT if I've been infected?
If you suspect that you've been infected, it is advised to consult cybersecurity experts for malware removal. Basic steps involve uninstalling the malicious app and performing a full security scan on your device.
Can Transparent Tribe CapraRAT affect other devices, like my laptop or tablet?
As of now, the primary focus of CapraRAT is on Android smartphones. However, the Transparent Tribe group has been known to develop other types of malware that target different operating systems, so it's crucial to keep all your devices protected.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc. Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE. Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin worked a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.
Leave a Reply