A new Malware-as-a-Service (MaaS) operator known as ‘EVLF DEV’ has been identified by researchers as the creator of CypherRAT and CraxsRAT. For the past three years, EVLF has been selling CraxsRAT, an extremely dangerous Android RAT that allows attackers to remotely control a victim’s camera, location, and microphone. The code in the Android package created by the CraxsRAT builder is highly obfuscated and provides threat actors with various options for deploying malicious apps based on the type of attack.

Researchers from CYFIRMA have stated with high confidence that EVLF is being operated by a man from Syria. EVLF has even developed an online shop for CraxsRAT on the surface web to prove its reliability to interested threat actors. This move has significantly increased the reachability of these RATs and the number of active users. To maintain anonymity, all transactions for purchases are made in cryptocurrency.

It is important to note that CraxsRAT specifically targets Android devices. However, cracked versions of CraxsRAT builders meant to run on Windows machines are being distributed in forums with pre-existing backdoors of other malware or ransomware. Upon installation, the app must activate accessibility in settings to obtain access to the device’s screen and keystrokes. This allows the threat actor to alter the page that appears, further enabling malicious actions.

Threat actors often utilize the quick install function to install software without requiring much user engagement, such as turning on accessibility. They then request the necessary authorization to carry out malicious actions. To protect themselves from such threat actor efforts, users are advised to exercise caution while installing apps, avoid clicking on dubious links or attachments, and only install apps from legitimate app stores.

The discovery of EVLF DEV as the operator behind the creation of CypherRAT and CraxsRAT highlights the ongoing challenges posed by Malware-as-a-Service operators. These platforms make it easier for threat actors to access and deploy sophisticated malware, increasing the overall risk to individuals and organizations.

It is crucial for cybersecurity professionals and law enforcement agencies to continue monitoring and investigating these MaaS operators. By uncovering and disrupting their operations, it becomes possible to mitigate the threat posed by their malicious tools and protect potential victims. Furthermore, raising awareness among users about the dangers of downloading apps from untrusted sources and practicing good cybersecurity hygiene can greatly reduce the success rate of these attacks.

In conclusion, the identification of EVLF DEV as a Malware-as-a-Service operator highlights the ongoing challenges in the cybersecurity landscape. The development and distribution of dangerous malware like CypherRAT and CraxsRAT underscore the need for increased vigilance among users and the importance of robust security measures to safeguard against such threats.

Source link