Cybercrime as-a-service,
Endpoint Security,
Fraud Management & Cybercrime
Malware-as-a-Service Operations Favor Russian-Speaking Customers
A newly identified remote access Trojan (RAT) is gaining traction in Spanish-speaking countries, exploiting Meta-owned applications to propagate fraudulent advertisements, thereby serving as an entry point for malicious activities. Dubbed Mirax, this malware is engineered to target Android devices and was first reported by Outpost24’s KrakenLabs in early March. Its advanced functionalities allow cybercriminals to manipulate devices in real-time, effectively turning them into residential proxy nodes leveraging advertisements displayed on Facebook, Instagram, Messenger, or Threads.
According to insightful research published by Cleafy, a firm specializing in online fraud prevention, Mirax operates primarily through Meta platforms. It employs sophisticated techniques such as SOCKS5 protocol support and Yamux multiplexing to create proxy channels while revealing a victim’s IP address. This layered structure enables attackers to maintain a stronghold over compromised devices, significantly amplifying their capacity for illicit activities.
The capabilities of Mirax extend far beyond typical malware functionalities. It can capture keystrokes, steal multimedia files and data—including sensitive lock screen details—execute commands remotely, and monitor user behavior meticulously. By overlaying legitimate applications with deceptive interfaces, the malware ingeniously extracts user credentials and disseminates misleading notifications that compel unwitting users to disclose vital information.
The distribution of Mirax follows a sophisticated attack chain, with Meta ads promoting malicious dropper app web pages designed to ensnare unsuspecting victims. Despite its primary access point being Meta, the malware also exploits GitHub by hosting malicious APK files that offer users two different crypters—Virbox and Golden Crypt. This dual offering increases the complexity and reach of the malware’s spread.
Upon installation, victims are prompted to modify their device settings, specifically allowing downloads from “unknown sources.” This enables a multi-layered installation process that outsmarts many conventional security measures. To further obfuscate its intentions, the malware masquerades as a benign application feature, such as video playback, while secretly prompting users to enable accessibility services that facilitate Mirax’s operation.
Observations from KrakenLabs reveal that operators under the moniker Mirax Bot have begun marketing a private malware-as-a-service (MaaS) offering on illicit forums. Their services reportedly start at $2,500 for three-month subscriptions, with an alternate, feature-limited version priced at $1,750 per month. This MaaS model is not only financially lucrative but also increasingly accessible to those with malicious intent.
Researchers at Cleafy indicate that this MaaS initiative is not widely available; it appears “highly controlled” and “exclusive” to a select group of affiliates. Notably, access seems to be prioritized for Russian-speaking cybercriminals who hold established reputations within underground communities. This targeted approach suggests a deliberate strategy to uphold operational security and maximize the effectiveness of their campaigns, emphasizing that the actors behind Mirax are not only efficient but highly calculated in their activities.
The proliferation of malware offerings like Mirax underscores the evolving landscape of cybercrime, where sophisticated tools are made available as services, allowing even less technically skilled individuals to perpetrate cyber attacks. This alarming trend poses significant risks to user security and necessitates robust cybersecurity measures across platforms to mitigate potential threats. Understanding the nuances of such malware operations is essential for both individuals and organizations aiming to protect their digital environments.