An ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT currently has its origin traced to Transparent Tribe—a Pakistan-aligned advanced persistent threat group.
Transparent Tribe is as famous as Operation C-Major and Mythic Leopard. Transparent Tribe, also tagged as Apt36, operates on adulterated websites claiming to be the official distribution centres of MeetsApp and MeetUp (Malicious) (com.meetup.app) available for download.
There are speculations that the group use honeytrap romance scams to get victims to install the malicious app promising secure calling and messaging. The app is designed to behave to offer the promised security features which keep users from suspecting or detecting the implanted CapraRAT Android Malware in it.
CapraRAT is a modified version of the open-source AndroRAT documented in February 2022 by Trend Micro, and it shows some overlap with CrimsonRAT, a windows malware. A Statement by ESET also states, “the group distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp.”
The app is designed with hidden features that allow it to take screenshots, save pictures and record phone conversations and surrounding audio while exporting sensitive data aside from those collected through the registration process that requires a phone number and SMS verification. Further research has shown that the app makes calls, sends SMS, and performs automatic downloads through some command chains. A report revealed the possibility of over 150 victims, mainly from a military or political discipline.
According to a Slovak cybersecurity company, there is no trace of the apps on the Google Play Store, which suggests the campaign had specific targets. Other findings showed that Transparent Tribe has already launched a new set of attacks on the Indian government organizations as a primary target. The attack uses a malicious version of Kavach, a two-factor authentication solution.
