Trend Micro’s CapraRAT implant is an Android RAT with a high “degree of crossover” with another Windows malware known as CrimsonRAT, which is associated with Earth Karkaddan, a threat actor also known as APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe.
In its espionage attacks against Indian military and diplomatic entities, a politically motivated advanced persistent threat (APT) group has expanded its malware arsenal to include a new remote access trojan (RAT).
The first evidence of APT36’s existence appeared in 2016, when the group began distributing information-stealing malware through phishing emails with malicious PDF attachments aimed at Indian military and government personnel. The group is thought to be of Pakistani origin and has been active since at least 2013.
The threat actor is also known for being consistent in its techniques, with attacks primarily depend on social engineering and a USB-based worm as entry points. A Windows backdoor called CrimsonRAT, which allows the attackers extensive access to compromised systems, is a common element in the group’s arsenal, though recent campaigns have evolved to deliver ObliqueRAT.
This is far from the hacking group’s first use of Android RATs. Human rights defenders in Pakistan were targeted in May 2018 by Android spyware called StealthAgent , which intercepted phone calls and messages, syphoned photos, and tracked their whereabouts.
Then, in 2020, Transparent Tribe used military-themed lures to drop a modified version of the AhMyth Android RAT disguised as a porn-related app and a fake version of the Aarogya Setu COVID-19 tracking app.
Finally the researchers concluded that , “Users are advised to be wary of unsolicited emails, avoid clicking on links or downloading email attachments from unknown senders, install apps only from trusted sources, and exercise caution when granting permissions requested by the apps”.