A new cyberespionage campaign has been discovered by ESET researchers. This campaign, dubbed Transparent Tribe, is targeting Indian and Pakistani citizens, especially those with military or political backgrounds, with Android mobile malware named CapraRAT.
CapraRAT is a backdoor that can exfiltrate sensitive information from compromised devices. In this campaign, the malware was distributed via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp. The trojanized apps were hosted on websites posing as official distribution centers. It is believed that a romance scam was used to lure targets to these websites.
ESET’s investigation revealed that Transparent Tribe has poor operational security around these trojanized apps, which allowed researchers to geolocate 150 victims in India, Pakistan, Russia, Oman, and Egypt. CapraRAT was hosted on a domain that had been previously used by Transparent Tribe, and the backdoor itself was similar to one used by the group in the past.
The two trojanized apps, MeetsApp and MeetUp, include CapraRAT code, communicate with the same C&C server (66.235.175[.]91:4098), and their APK files are signed using the same developer certificate, leading ESET to believe that both websites were created by the same threat actor. Messaging functionality seems either to be developed by the threat actor or found online.
ESET believes that Transparent Tribe probably uses honey-trap romance scams to lure victims into installing the app and continues to communicate with them using the malicious app to keep them on the platform and make their devices accessible to the attacker.
CapraRAT is remotely controlled and based on the commands from the C&C server, it can exfiltrate any sensitive information from its victims’ devices. The backdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information. The backdoor can also receive commands to download files, make calls, and send SMS messages.
ESET’s researchers recommend that anyone who thinks they may have been affected by this campaign should immediately uninstall any apps they have downloaded from suspicious websites and change their passwords. They also suggest that users only download apps from official app stores and be cautious of any unsolicited messages or requests for personal information.
The discovery of this campaign is a reminder of the importance of being vigilant about the apps that we download and the messages that we receive. Cybercriminals are constantly finding new ways to target unsuspecting victims, and it’s up to us to protect ourselves by being careful and taking appropriate security measures.