Multiple cyber espionage groups are using an open-source Android remote administration tool called Rafel RAT, disguising it as popular apps like Instagram, WhatsApp, and various e-commerce and antivirus applications. This tool provides malicious actors with a powerful toolkit for remote administration and control, enabling activities such as data theft and device manipulation. It includes features like wiping SD cards, deleting call logs, siphoning notifications, and even functioning as ransomware.
The Israeli cybersecurity company Check Point highlighted the use of Rafel RAT by the DoNot Team (also known as APT-C-35, Brainworm, and Origami Elephant) in previous cyber attacks. These attacks exploited a design flaw in Foxit PDF Reader to trick users into downloading the malware. In April 2024, a campaign used military-themed PDF lures to distribute the malware. Check Point identified around 120 malicious campaigns targeting high-profile entities in countries including Australia, China, France, Germany, India, and the U.S.
Most victims of these attacks had Samsung phones, with Xiaomi, Vivo, and Huawei users also heavily affected. A significant 87.5% of infected devices were running outdated Android versions without security updates. The typical attack strategy involves social engineering to manipulate victims into granting intrusive permissions to the malware-laced apps, enabling them to access sensitive data like contact information, SMS messages, location, call logs, and installed applications.
Rafel RAT uses HTTP(S) and Discord APIs for command-and-control communications and comes with a PHP-based C2 panel for issuing commands to compromised devices. Its effectiveness is demonstrated by its use in a ransomware operation by an attacker likely from Iran, who sent a ransom note in Arabic to a victim in Pakistan via SMS. Check Point emphasized that Rafel RAT exemplifies the evolving landscape of Android malware, underscoring the importance of continual vigilance and proactive security measures to protect Android devices from exploitation.
Reference:
