7 March 2023

Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps


Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps

A new cyber-espionage campaign has been detected that is targeting Indian and Pakistani Android users with a backdoor called CapraRAT.

The ongoing operation has been linked by ESET researchers to a suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) that largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The latest Transparent Tribe campaign is focused on Indian and Pakistani Android users – presumably with a military or political orientation, ESET says. The threat actor is using trojanized secure messaging and calling apps branded as MeetsApp and MeetUp to infect victims with the CapraRAT malware capable of stealing any sensitive information from target devices.

CapraRAT is believed to be a modified version of the open source AndroRAT that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

The backdoor can take screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information. It can also receive commands to download files, make calls, and send SMS messages.

“Victims were probably targeted through a honey-trap romance scam, where they were initially contacted on another platform and then convinced to use supposedly “more secure” apps, which they were then lured into installing,” the researchers said.

These trojanized apps were distributed via fake websites disguised as the official distribution centers and there’s no indication that the malicious apps were ever available on Google Play.

Due to threat actor’s week operational security ESET researchers were able to identify more than 150 victims in India, Pakistan, Russia, Oman, and Egypt.


Back to the list

Latest Posts

Cyber security week in review: March 24, 2023

Cyber security week in review: March 24, 2023

The world in brief: BreachForums data breach site shut down, Bitcoin ATM maker General Bytes suffers a $1.5M hack, and more.
24 March 2023
Lionsgate streaming platform exposed data of 37M users

Lionsgate streaming platform exposed data of 37M users

Researchers discovered an unprotected ElasticSearch instance that contained about 20GB of data.
23 March 2023
New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

The technique involves the use of inaudible sounds embedded in regular audio and video files to send malicious commands.
22 March 2023