Introduction
A sophisticated cyber-espionage campaign has been detected, leveraging the PJobRAT Android remote access trojan (RAT) to target users in Taiwan [2]. This campaign employs deceptive instant messaging applications to distribute the malware, posing significant security risks.
Description
A new cyber-espionage campaign utilizing PJobRAT [2], an Android remote access trojan (RAT) [1] [2], has been identified targeting users in Taiwan through spoofed instant messaging applications named “SangaalLite” and “CChat.” This malware [1], which has previously focused on Indian military personnel, is distributed via compromised WordPress sites rather than official app stores [2]. The campaign has been active for over 22 months [1] [2], with the earliest sample dating back to January 2023 [2], although hosting domains were registered as early as April 2022 [2]. Despite its longevity, the campaign has resulted in limited infections.
The latest version of PJobRAT has evolved to include the capability to execute shell commands [2], significantly enhancing attackers’ control over infected devices. This functionality allows for the theft of sensitive information, including SMS messages [1] [2], contacts [1] [2], and media files [2], as well as the ability to root devices, launch attacks on other systems [2], and remotely uninstall the malware once objectives are achieved [2].
PJobRAT communicates with its command-and-control (C2) servers using Firebase Cloud Messaging (FCM) and HTTP protocols [1] [2]. FCM enables the malware to blend its network traffic with legitimate Android communications [2], complicating detection efforts [2]. The HTTP method is employed for exfiltrating stolen data [2]. Indicators of compromise associated with PJobRAT include the domains westvist[. [1]]myftp[.]org, the app names SangaalLite and CChat [1], and the file hash Andr/AndroRAT-M [1]. The malware’s infrastructure is believed to be based in Germany [1].
Users are advised to refrain from installing applications from untrusted sources and to utilize threat detection tools to mitigate risks [1]. The malware employs several techniques as outlined by MITRE [1], including Command and Control (T1071.001) through FCM and HTTP [1], Data from Information Repositories (T1213) for collecting sensitive information [1], Remote File Copy (T1105) for uploading data to command-and-control servers [1], and Execute Command (T1059) for running shell commands on infected devices [1].
Conclusion
The PJobRAT campaign underscores the persistent threat posed by advanced malware targeting mobile devices. Its ability to execute shell commands and exfiltrate data highlights the need for robust security measures. Users must remain vigilant, avoiding untrusted applications and employing comprehensive threat detection solutions. As cyber threats continue to evolve, ongoing research and collaboration are essential to developing effective countermeasures and safeguarding sensitive information.
References
[1] https://www.hendryadrian.com/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/
[2] https://www.infosecurity-magazine.com/news/pjobrat-malware-targets-taiwan-via/
