Rafel RAT
Several threat actors, including cyber espionage groups, are utilizing an open-source Android Remote Administration Tool known as the Rafel RAT. They disguise it as popular applications like Instagram, WhatsApp, and various e-commerce and anti-malware applications to achieve their harmful goals.
The Rafel RAT provides these actors with a robust toolkit for remote administration and control, facilitating various nefarious activities such as data theft and device manipulation. Its extensive features include wiping S.D. cards, deleting call logs, intercepting notifications and even functioning as ransomware.
Table of Contents
The Rafael RAT was Detected in Numerous Attack Campaigns
Cybersecurity experts have previously highlighted the use of the Rafel RAT by APT-C-35 (also known as DoNot Team, Brainworm, and Origami Elephant) in attacks that exploited a design flaw in Foxit PDF Reader to deceive users into downloading threatening payloads. This campaign, which occurred in April 2024, used military-themed PDF lures to deliver the malware.
Experts have identified approximately 120 different harmful campaigns, including some targeting high-profile entities, across various countries such as Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia and the U.S.
The majority of victims owned Samsung phones, followed by users of Xiaomi, Vivo, and Huawei devices. Notably, around 87.5% of the infected devices were running outdated Android versions that no longer receive security updates.
The Rafel RAT can Compromise a Wide Range of Sensitive Data
Typical attack chains involve social engineering tactics to trick victims into granting intrusive permissions to malware-infected applications. These permissions allow the malware to gather sensitive data, including contact information, SMS messages (such as 2FA codes), location, call logs, and lists of installed applications among other data.
The Rafel RAT primarily uses HTTP(S) for Command-and-Control (C2) communications but can also utilize Discord APIs to communicate with threat actors. Additionally, it features a PHP-based C2 panel that registered users can use to issue commands to compromised devices.
Android Users Remain a Frequent Target of Cybercriminals
The tool's efficacy across different threat actors is validated by its involvement in a ransomware operation conducted by an attacker believed to be from Iran. The attacker sent a ransom note in Arabic via SMS, urging a victim in Pakistan to contact them through Telegram.
The Rafel RAT exemplifies the evolving realm of Android malware, distinguished by its open-source design, comprehensive range of features, and extensive deployment in various illicit activities. Its widespread use underscores the importance of ongoing vigilance and proactive security measures to protect Android devices from hurtful exploitation.
