7 March 2023

Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps


Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps

A new cyber-espionage campaign has been detected that is targeting Indian and Pakistani Android users with a backdoor called CapraRAT.

The ongoing operation has been linked by ESET researchers to a suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) that largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The latest Transparent Tribe campaign is focused on Indian and Pakistani Android users – presumably with a military or political orientation, ESET says. The threat actor is using trojanized secure messaging and calling apps branded as MeetsApp and MeetUp to infect victims with the CapraRAT malware capable of stealing any sensitive information from target devices.

CapraRAT is believed to be a modified version of the open source AndroRAT that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

The backdoor can take screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information. It can also receive commands to download files, make calls, and send SMS messages.

“Victims were probably targeted through a honey-trap romance scam, where they were initially contacted on another platform and then convinced to use supposedly “more secure” apps, which they were then lured into installing,” the researchers said.

These trojanized apps were distributed via fake websites disguised as the official distribution centers and there’s no indication that the malicious apps were ever available on Google Play.

Due to threat actor’s week operational security ESET researchers were able to identify more than 150 victims in India, Pakistan, Russia, Oman, and Egypt.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024