PJobRAT

A spyware threat that was first discovered in 2019 has emerged once more in an attack campaign leveraged against Indian military personal. The researchers who caught the operation cannot attribute it to any of the established hacker groups currently. However, the specific nature of the targets, suggests that the threat actor might be related either to Chine or Pakistan.

PJobRAT Attack Details

The threat is being disguised as various dating or instant messaging applications. Several of the various identities assumed by the threat are 'Trendbanter,' 'SignalLite,' 'HangOn,' 'Rita' and 'Ponam.' The applications are being spread through third-party application store platforms and advertised as a convenient way for single Indians living abroad get together. Instead, all of these applications deploy the PJobRAT malware. 

Once established on the system, the threat will try to blend its icon among the ones already present on the device. In fact, the actual icon is likely to have nothing in common with the one displayed on the third-party application store and instead will be similar to icons of other popular applications, such as WhatsApp. 

The Threatening Capabilities of PJobRAT

The main functionality of PJobRAT is to collect and exfiltrate sensitive information from the breached devices. It can gather a wide range of document types - pdf, xls, doc, docx, xlsx, ppt, and pptx and upload them to a remote server. The spyware also can access private data from applications like WhatsApp and collect private conversations and contact lists. Furthermore, PJobRAT allows the threat actors to record audio and video via the device's microphone and camera. 

A peculiar fact was discovered by research experts. Apparently, all of the collected information is being stored on a private server that is accessible publicly. If this is intentional or the hackers are just that careless and amateurish, cannot be established at the moment.