CapraRAT

The CapraRAT threat is a fully-featured Android RAT (Remote Access Trojan) designed to be deployed as a part of cyberespionage attacks. Details about this particular threat were revealed in a report published by the researchers at Trend Micro. Their analysis has revealed a significant degree of crossover between CapraRAT and a previously identified threat known as Crimson RAT.

The Crimson RAT is attributed and observed as part of the threatening operations of an APT (Advanced Persistent Threat) group tracked as Earth Karkaddan. The same group of hackers also can be encountered as APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe.

Technical Details

CapraRAT is another custom-built Android RAT that is now a part of the group's threatening arsenal. The threat most likely relies on social-engineering tactics and phishing links to obtain initial access to the victim's device. To throw users off, the corrupted payload is disguised and distributed as a Youtube application.

At its core, CapraRAT appears to be based on an open-source RAT threat named AndroRAT. As such, it comes equipped with numerous intrusive functions related to the harvesting and subsequent exfiltration of data. CapraRAT can harvest the victim's geolocation, obtain phone logs, and extract contact information.

Attack History

The APT36 group has been active in operations targeting Indian military and diplomatic entities consistently. The first concrete signs of its presence were observed back in 2016, in an information-collecting attack against Indian military and government personnel. In 2018, the group deployed an Android spyware threat against human rights activists in Pakistan intending to intercept phone calls and messages, misappropriate photos, and track their movements. In 2020, the hackers modified their bait messages to now include military or COVID-19-related lures and used them to drop a modified version of another Android RAT known as AhMyth.