888 RAT

888 RAT Description

The 888 RAT is an old malware threat that was first offered for sale on underground hacker forums in 2018. Back then, it had far limited functionality and used to target only Windows devices. The price of this initial version was set at $80. 

However, soon afterward, the developers of 888 RAT released an expanded Pro version that was capable of infecting Android devices. Later, an Extreme version also was released and now it could be used for the creation of Linux payloads. These versions were priced at $150 and $200 respectively. During this period, the 888 RAT remained largely unutilized by cybercriminal gangs. All that changed when the Pro version got cracked and released for free on several websites.

888 RAT Attack's Campaigns 

Researchers have managed to detect three separate attack campaigns that used the 888 RAT as part of the delivered payloads. One is tracked under Spy TikTok Pro while another is an operation attributed to the Kasablanka group. However, the latest attack has been active since at least March 2020 and is targeting the Kurdish ethnic group specifically. The attackers deployed the Android version of the 888 RAT to carry out espionage activities on the compromised devices. So far, the campaign has been attributed to a cybergang tracked under the name BladeHawk.

BladeHawk's disguised the 888 RAT and, in small instances, a different malware threat named SpyNote as a legitimate application. As an initial compromise vector, the cybercriminals used dedicated Facebook profiles that lured their victims by posting news in Kurdish about events relevant for the Kurds' supporters. They also spread links leading to additional weaponized applications to public Facebook groups with pro-Kurd leanings. Researchers have confirmed that just a couple of bait Facebook posts have managed to register nearly 1,500 downloads of trojanized applications.

Functionality

The Android version of the 888 RAT is capable of recognizing and executing 42 different commands that it receives from a Command-and-Control (C&C, C2) server. As such, the threat can perform a wide range of nefarious activities on the breached devices. It is equipped with the basic functions expected from an Android threat - manipulate, collect, or delete files, gather photos, access SMS messages, harvest the device's contact list and generate a list of all installed applications.

In addition, the 888 RAT can establish numerous espionage routines on the device. These include taking arbitrary screenshots, taking photos, sending text messages, making calls, recording the surrounding audio and phone calls conducted on the device, employing phishing techniques to collect the victim's Facebook credentials and more.