Security researchers have identified Rafel RAT [6], an open-source Android malware tool used by threat actors for espionage activities [2], targeting outdated Android devices in the US, China [3] [4] [5] [6] [7], India [4], and Indonesia [3] [4] [5] [6].
Description
The malware is disguised as popular apps like Instagram and WhatsApp [7] [8], tricking victims into installing malicious apps that request sensitive permissions [4]. Multiple threat actors [1] [6] [7] [8], including cyber espionage groups [2] [6] [7] [8], have been exploiting Rafel RAT [6], with as many as 120 campaigns observed by researchers. High-profile targets in the military sector have been affected [5], with a global reach [5], especially in the US [5], China [3] [4] [5] [6] [7], and Indonesia [3] [4] [5] [6]. The malware operates stealthily on Android devices [5], providing malicious actors with a powerful toolkit for remote administration and control [5], enabling activities from data theft to device manipulation [5] [8]. It can access SMS [5], call logs [3] [5] [8], and contacts [3] [5], and has been used for phishing campaigns that exploit manipulated user interactions to obtain necessary permissions [5]. The tool provides a range of features for remote control [7], including data theft and device manipulation [7] [8]. Rafel RAT has been linked to the APT-C-35/DoNot Team [6], showcasing its capabilities for remote access [6], surveillance [1] [6], data exfiltration [1] [6], and maintaining persistence on targeted devices [6]. The malware has been used in various malicious campaigns targeting high-profile entities in countries such as the United States [7], China [3] [4] [5] [6] [7], Australia [7], and France. Over 87% of infected devices are running unsupported Android versions [6], particularly Android 11. The malware configures a command and control panel allowing invasive operations [5], and in some cases [5], includes a ransomware module that alters lock-screen passwords and prevents uninstallation [5]. Additionally, Rafel has been used in nation-state offenses [5], with one case involving a threat actor hacking a government website from Pakistan [5]. The tool primarily uses HTTP(S) for command-and-control communications and can also utilize Discord APIs [7] [8]. Rafel RAT has been deployed in ransomware operations [7], highlighting the need for proactive security measures to protect Android devices [7] [8]. Android security measures must focus on threat intelligence [9], endpoint protection [9], user education [9], and collaboration among stakeholders to defend against such threats [9]. Users are advised to keep devices updated [2], avoid unknown downloads [2], and scan apps before launching them to protect against these attacks. The attacks with Rafel RAT have targeted Android users in the US [3], China [3] [4] [5] [6] [7], and Indonesia [3] [4] [5] [6], with phones made by Samsung [3], Xiaomi [1] [2] [3] [8] [9], Vivo [1] [2] [3] [8], and Huawei being the most targeted devices [3]. The malware features SMS [3], call log [3] [5] [8], and contact gathering [3], two-factor authentication message exfiltration [3], and ransomware capabilities [3]. The APT-C-35 threat operation [3], also known as Brainworm and DoNot Team [3], has been identified as one of the most prolific users of the malware [3]. Despite the variety of Android versions [3], the malware can generally operate across all [3], but newer versions of the operating system present more challenges for the malware to execute its functions or require more actions from the victim to be effective [3]. The DoNot Team [3] [8], also known as APT-C-35 [8], Brainworm [3] [8], and Origami Elephant [8], has been identified as using Rafel RAT in cyber attacks [8]. The tool has been used in around 120 malicious campaigns targeting high-profile entities in various countries [7] [8]. Victims primarily have Samsung phones [8], with Xiaomi [8], Vivo [1] [2] [3] [8], and Huawei users also being targeted [8]. Most infected devices are running out-of-date Android versions [6] [8]. Attack chains involve social engineering to gain intrusive permissions and access sensitive data [8]. Rafel RAT uses HTTP(S) for command-and-control communications and can also utilize Discord APIs [7] [8]. It comes with a PHP-based C2 panel for issuing commands to compromised devices [8]. The tool has been used in a ransomware operation by an attacker likely from Iran [8]. The prevalence of Rafel RAT highlights the need for continual vigilance and proactive security measures to protect Android devices [8].
Conclusion
The impact of Rafel RAT on Android devices, particularly targeting outdated versions, underscores the importance of maintaining up-to-date security measures. Proactive steps such as regular updates, cautious app downloads, and user education are crucial in defending against such threats. The use of Rafel RAT in espionage activities and ransomware operations emphasizes the need for ongoing vigilance and collaboration among stakeholders to safeguard against malicious attacks. Moving forward, a comprehensive approach to Android security, including threat intelligence and endpoint protection [9], is essential to mitigate the risks posed by advanced malware tools like Rafel RAT.
References
[1] https://securityaffairs.com/164844/breaking-news/multiple-threat-actors-used-rafel-rat.html
[2] https://www.techworm.net/2024/06/rafel-rat-malware-target-android-phones.html
[3] https://www.scmagazine.com/brief/old-android-phones-mostly-subjected-to-rafel-rat-attacks
[4] https://www.helpnetsecurity.com/2024/06/24/android-rafel-rat/
[5] https://www.csoonline.com/article/2500712/new-rat-digs-into-android-phones-to-steal-data-and-encrypt-files.html
[6] https://www.infosecurity-magazine.com/news/android-users-targeted-rafel-rat/
[7] https://thehackernews.com/2024/06/iranian-hackers-deploy-rafel-rat-in.html
[8] https://www.redpacketsecurity.com/multiple-threat-actors-deploying-open-source-rafel-rat-to-target-android-devices/
[9] https://cybersecuritynews.com/android-rafel-rat/