OmniRAT

OmniRAT is a Remote Administration Tool much in the vein of DroidJack but equipped with greatly expanded capabilities. While DroidJack was capable of taking control solely of Android devices, OmniRAT works on Windows, Linux and Mac devices. Another difference was that while DroidJack would require you to fork up to $210, OmniRAT was available at a significantly lower cost of $25 or 50, depending on which tier the customer has chosen.

By their nature, Remote Administration Tools are not threatening; they simply provide users with the means of accessing and carrying out tasks on their devices remotely. The problem is that such programs can be appropriated by hackers easily and repurposed to serve as a fundamental part of their criminal activities. Indeed, even the unmodified version of OmniRAT could execute commands, record audio, enumerate running processes or services on the device, access contact lists, make phone calls and send messages, and access and deleting the browsing history, etc. Not surprisingly, soon after the program was launched, an SMS attack campaign delivering a custom version of OmniRAT was detected. 

The payload was distributed through SMS messages claiming that the targeted user had received an MMS, but it couldn't be delivered directly due to the Android vulnerability StageFright. A link to a website where the users had to input their phone numbers and a code number provided in the SMS led to downloading and installing an APK file carrying OmniRAT. The application then demands to receive various intrusive permissions, which is not that different from the behavior of legitimate applications, and if it is successful, the hackers will be granted full control over the compromised device. OmniRAT could then be spread further by sending SMS messages from the device to the user's contact lists. 

While the authors of OmniRAT had stated on the program's official website that they do not support any illicit use of the application and discretion falls solely on the customers, it did not help when in 2019 the German police raided their house and seized their laptops, computers and mobile devices. The raid was most likely part of the investigation of a cyber attack that took place a couple of months prior. This is similar to the 2015 operation against DroidJack. 

The hackers launched a campaign against companies working in multiple industries. The initial exploit used to compromise the targeted computers was a remote code execution vulnerability with CVE-2016-7262 designation in Microsoft Excel. The poisoned Excel spreadsheet was designed to appear as if it was sent by 'Kuwait Petroleum Corporation (KPC).' The payload it delivered was OmniRAT.