Transparent Tribe, aka APT-36, a Pakistan-based threat actor active since 2016, has launched a new campaign dubbed CapraTube. It targets mobile gamers, weapon enthusiasts, and TikTok lovers to distribute CapraRAT spyware using malicious APKs. The four apps targeted are Crazy Game, Sexy Videos, TikToks, and Weapons.
These apps launch YouTube with specific queries. For instance, TikToks APK launched YouTube with the ‘TikToks’ query, while Weapons APK launched the Forgotten Weapons YouTube channel.
First discovered in September 2023, the CapraTube campaign deploys weaponised Android applications (APKs) disguised as legitimate apps, including those mimicking YouTube. This approach has seen updates in the latest iteration, with new social engineering pretexts and improved compatibility with older and newer Android operating system versions.
Researchers discovered that malicious APKs now use Android’s WebView to launch URLs directed towards YouTube or the mobile gaming site CrazyGames[.]com.
The threat actors obfuscated the URLs to evade detection, but once cleaned, they redirect users to specific YouTube search queries or gaming content. The apps’ names are designed to capture a niche audience.
These applications prompt users to grant extensive permissions, including access to GPS location, SMS, contacts, and the ability to record audio and video, download files, and take photos, raising significant privacy concerns.
According to researchers, in the new CapraRAT, a few permissions, such as READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES, aren’t required.
Furthermore, the new CapraRAT is compatible with newer Android versions. While previous versions of the CapraRAT spyware required devices running on Android Lollipop (5.1), the latest versions reference Android Oreo (8.0) and successfully run on modern Android versions, including Android 13 (Tiramisu) and Android 14.
“The decision to move to newer versions of the Android OS is logical, and likely aligns with the group’s sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released 8 years ago,” researchers said. “The updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, but suggest the developers are focused on making the tool more reliable and stable.”
This shift ensures that the spyware remains effective on contemporary devices used by their targets, reducing the likelihood of raising suspicion through compatibility warnings or installation failures.
“We tested the APKs from this campaign and the September 2023 campaign on an Android device running Android Tiramisu aka Android 13 (2022) and Android 14 (2023). The new campaign’s apps ran smoothly on this modern version of Android. The September 2023 campaign apps prompted a compatibility warning dialogue, which could raise suspicion among victims that the app is abnormal,” note researchers.
The new APKs maintain a minimal class structure via the Andriod Support Library to ensure backward compatibility, illustrating the roup’s technical adaptability. Despite this, the spyware still requests numerous permissions, highlighting its surveillance capabilities.
The core of CapraRAT spyware lies in its MainActivity, which initiates permission requests and subsequently activates various malicious functionalities through the TCHPClient class. This class includes methods for audio streaming, call logging, contact listing, file browsing, and more.
The collected data is then transmitted to a command-and-control (C2) server, with the spyware employing a hardcoded IP address and hostname for connectivity. Cybersecurity researchers observed that this infrastructure has been linked to Transparent Tribe’s CrimsonRAT and AHmyth Android RAT activities since at least 2022, indicating a sustained and coordinated effort.
To mitigate the risk of compromise by CapraRAT and similar malware, researchers urge users to scrutinise app permissions and be wary of applications requesting unnecessary access. Network indicators such as port 18582 and specific method names within suspect apps should be treated as potential red flags in incident response scenarios.
Indian government and private sector entities, particularly in sensitive sectors such as space and defence, have been targeted by cyber crooks in the past. Last month, it was reported that a Pakistan-based threat actor, Cosmic Leopard, was targeting Indian government institutions.
In May, Transparent Tribe was found to target Indian defence, aerospace, and other government entities.
In the News: Decades-old OpenSSH flaw resurfaces, exposing 14 million servers to RCE