CraxsRAT Mobile Malware

Cybersecurity experts have reportedly uncovered the true identity of the individual responsible for developing the Remote Access Trojans (RATs) known as CypherRAT and CraxsRAT.

Operating under the online alias 'EVLF DEV' and based in Syria for the last eight years, this threat actor is believed to have generated more than $75,000 by distributing these two RATs to various threatening entities. The disclosed information also indicates that this individual serves as a Malware-as-a-Service (MaaS) operator.

For the last three years, EVLF DEV has been offering CraxsRAT, which is considered one of the more harmful and sophisticated Android RATs. This RAT has been available on a surface Web store, with approximately 100-lifetime licenses sold thus far.

The CraxsRAT Android Malware is Highly Customizable

CraxsRAT generates intricately obfuscated packages, granting malicious actors the flexibility to tailor their content based on the intended type of attack, including WebView page injections. The threat actors have the freedom to determine the app's name and icon for device infiltration, as well as the specific functionalities the malware will possess.

Furthermore, the builder incorporates a quick install feature that crafts applications with minimal install permissions to evade detection. However, post-installation, the threat actor retains the ability to request the activation of additional permissions.

This Trojan leverages the Android Accessibility Services to gain a variety of features, including keylogging, touchscreen manipulation, and automatic option selection. The extensive range of CraxsRAT's capabilities encompasses tasks like recording and live-streaming the device's screen. It is able to acquire recordings or engage in real-time surveillance using the phone's microphone and both front and back cameras. The Trojan can track the breached device's location through geolocation or by monitoring live movements. As a result, it has the capability to pinpoint the victim's exact location.

A 'super mod' option is also available to cybercriminals to make the CraxsRAT resistant to removal from infected devices. This is achieved by triggering a crash every time an attempt to uninstall the app is detected.

CraxsRAT Steals Sensitive and Private Dataf Victims' Devices

CraxsRAT is also equipped to manage applications. This includes tasks such as obtaining the list of installed applications, enabling or disabling them, opening or closing, and even deleting them. Alongside screen control, CraxsRAT has the capacity to lock or unlock the screen, and it can darken the screen to obscure its malicious actions. The malware extends its capabilities to file management tasks, such as opening, moving, copying, downloading, uploading, encrypting and decrypting files.

CraxsRAT possesses the ability to monitor accessed websites and enforce the opening of specific pages. This RAT can initiate infection chains either by downloading and executing payloads itself or by deceiving victims into doing so through forcefully opened malicious websites. As a result, in theory, this program could be utilized to implant devices with more specialized trojans, ransomware, and other forms of malware.

CraxsRAT has the capacity to manipulate the phone's contacts by reading, deleting and adding new ones. Additionally, the threatening program is proficient in examining call logs (including incoming, outgoing, and missed calls), recording phone conversations, and even initiating calls. Similarly, the Trojan can access SMS messages (both sent and received, as well as drafts) and send them. These features related to phone calls and text messages position CraxsRAT to be used as Toll Fraud malware.

The RAT is able to access content stored in the clipboard (i.e., the copy-paste buffer). CraxsRAT also targets various accounts and their login credentials. Among the examples listed in its promotional material are unspecified emails, Facebook and Telegram accounts.

It's important to highlight that malware developers often refine their software, and CraxsRAT is no different. Consequently, these infections not only exhibit diversity due to their customizable nature but also show variations due to the introduction of newly incorporated features.