19 September 2023

Transparent Tribe APT spreads CapraRAT malware via fake YouTube Android apps


Transparent Tribe APT spreads CapraRAT malware via fake YouTube Android apps

A Pakistan-aligned threat actor has been observed using fake Android apps mimicking YouTube to distribute the CapraRAT backdoor in a new cyber espionage campaign.

The group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The CapraRAT mobile access trojan is believed to be a modified version of the open-source AndroRAT malware that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

CapraRAT comes with a variety of features, including the ability to record with the microphone, front and rare cameras, collect messages and call logs, send SMS messages and block incoming SMS, make phone calls, take screen grabs, override system settings, modify files on the device’s filesystem.

The most recent group’s campaign observed by SentinelLabs researchers involves several malicious APKs distributed outside of Google Play named “YouTube” and “Piya Sharma.” These APKs were uploaded to VirusTotal in April, July, and August 2023, the researchers said.

Upon installation, the malicious apps request numerous permissions, including those not relevant to the apps’ expected behavior like permission to read text messages or modify or delete the contents of an SD card.

“The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media. Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat,” the researchers advised.


Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024