CapraRAT | |
Type of Malware | Trojan |
Country of Origin | Pakistan |
Date of initial activity | 2021 |
Targeted Countries | India |
Addittional Names | AndroRAT |
Associated Groups | Transparent Tribe |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Targeted Systems | Android |
Overview
CapraRAT is a sophisticated mobile remote access trojan (RAT) deployed by the advanced persistent threat (APT) group Transparent Tribe. Known for its espionage activities primarily targeting military and diplomatic personnel in South Asia, this group has expanded its operations over the years, incorporating advanced techniques to infiltrate Android devices. CapraRAT, first identified in 2018, has evolved as an invasive surveillance tool, allowing attackers to gain full control over the infected devices, including accessing sensitive data and monitoring user activity.
The malware is often distributed outside official app stores, leveraging social engineering tactics to trick users into downloading weaponized Android application packages (APKs). Most notably, CapraRAT disguises itself as legitimate applications, such as YouTube, to avoid suspicion. One recent campaign saw the distribution of YouTube-themed APKs that mimic the interface of the YouTube mobile app but contain hidden RAT functionality. Users who install these fake apps unknowingly grant attackers control over their device’s microphone, camera, GPS, SMS, call logs, and even permissions to send messages or make phone calls on their behalf.
Targets
Public Administration
Individuals
How they operate
One of the most effective tactics employed by CapraRAT is leveraging Android application package (APK) files to disguise the malware as popular apps. For instance, recent campaigns have featured YouTube-themed APKs that mimic the YouTube icon and website to evade user suspicion. While the app functions like a typical mobile version of YouTube, it is rigged with RAT features that operate covertly in the background. Once installed, CapraRAT requests permissions for camera access, SMS reading, microphone usage, and even GPS control, all of which are justified under the guise of legitimate app functionality. These permissions, however, enable attackers to remotely monitor and control the infected device, making CapraRAT a potent tool for data exfiltration.
CapraRAT’s operational capabilities are broad and invasive. The malware can record audio and video through a device’s microphone and cameras, collect SMS and multimedia messages, track GPS locations, access contact lists, and monitor call logs. Additionally, it has the ability to send and block SMS messages, take screenshots, modify system settings, and initiate phone calls without user consent. CapraRAT’s modular structure enables attackers to execute various commands at will, depending on the level of surveillance or control needed. The malware communicates with its command-and-control (C2) server to receive instructions and exfiltrate data using encrypted channels, making detection more difficult.
Once embedded, CapraRAT ensures persistence on the infected device by leveraging features such as the Autostarter function, which automatically re-launches the app after the device is restarted. This ensures that the malware remains active in the background even if the device owner tries to close the app. Its persistence mechanism, coupled with sophisticated evasion techniques like hiding its presence on devices running Android versions older than 9, allows CapraRAT to operate undetected for prolonged periods. The malware’s flexible design also enables Transparent Tribe to tailor attacks based on the target’s environment, suggesting the group’s evolving sophistication.
MITRE Tactics and Techniques
Initial Access – T1078.004 (Drive-by Compromise)
Execution – T1406 (Scripting)
Persistence – T1402 (Broadcast Receivers)
Privilege Escalation – T1404 (Exploitation for Privilege Escalation)
Defense Evasion – T1408 (Obfuscated Files or Information)
Credential Access – T1414 (Credential Dumping)
Discovery – T1428 (System Information Discovery)
Collection – T1516 (Input Capture)
Exfiltration – T1041 (Exfiltration Over Command and Control Channel)
Command and Control – T1436 (Commonly Used Port)