In recent months,multiple threat actors, including cyber espionage groups, have been utilizingan open-source Android remote administration tool (RAT) called Rafel RAT totarget Android devices. This malware has been observed in over 120 maliciouscampaigns, with victims spanning across various countries, including the UnitedStates, China, Indonesia, India and more. Rafel RAT provides malicious actorswith a powerful toolkit for remote administration and control, enabling a rangeof malicious activities from data theft to device manipulation.

The majority ofvictims had Samsung phones, with Xiaomi, Vivo, and Huawei users comprising thesecond-largest group among the targeted victims. This result corresponds to thepopularity of the devices in various markets.

TechnicalAnalysis

Rafel RAT is anopen-source malware tool that operates stealthily on Android devices. Itprovides malicious actors with a range of features, including:

❖    Remote access and control

❖    Surveillance

❖    Data exfiltration

❖    Persistence mechanisms

 The malware isdesigned to participate in phishing campaigns, leveraging deceptive tactics tomanipulate user trust and exploit their interactions. Upon initiation, themalware seeks the necessary permissions and may also request to be added to theallowlist, ensuring its persistence in the system.

Rafel RAT employsvarious persistence mechanisms to maintain its presence on the infected device,including:

1. Device Admin Rights: the malware requests Device Admin rights to gain elevated privileges and prevent uninstallation.
2. Allowlist: the malware requests to be added to the allowlist, ensuring its persistence in the system.
3. Notification Hijacking: the malware hijacks notifications to display fake alerts and notifications, allowing it to operate undetected.

Communicationwith C&C Server

The malwarecommunicates with the command-and-control (C&C) server over HTTP(S)protocols, transmitting information about the device, including itsidentifiers, characteristics, locale, country, model specifics, and operatordetails. The C&C server then sends commands to the device, which caninclude:

1.     Leaking phonebook to the C&C

2.     Leaking all SMS to the C&C

3.     Sending text messages to theprovided phone number

4.     Sending device information(country, operator, model, language, battery, root status, amount of RAM)

5.     Leaking live location to theC&C

6.     Leaking call logs to the C&C

7.     Showing toast (floating message)with provided text message for the victim

8.     Wiping all files under thespecified path

9.     Locking the device screen

10. Starting the process of fileencryption

11. Changing the device wallpaper

12. Performing device vibration

The Rafel RAT toolkit provides threat actors with aPHP-based administration panel, which uniquely operates without the need for atraditional database setup. Instead, it relies on JSON files for storing andmanaging data. During the installation process, the threat actor is required toset up a designated username and password, granting them access to theadministration panel. This panel serves as a centralized hub for managinginfected devices, issuing commands, and exfiltrating stolen data.

Upon logging intothe command-and-control interface, threat actors can access essentialinformation about the infected devices, such as:

1.     Device – Phone model

2.     Version – Android Version

3.     Country – Provides geographicalcontext, allowing threat actors to tailor their malicious activities orcampaigns to specific regions or demographics.

4.     SIM operator – The mobile networkoperator associated with the device’s SIM card, which can help track thedevice’s location.

5.     Charge – The current power levelof the infected device.

6.     Is Rooted – Indicates whether thedevice is rooted, providing information on the permitted access level.

Indicators of Compromise (IOCs)for Rafel RAT

The following IOCsare associated with the Rafel RAT malware:

SHA256 Hashes

The followingSHA256 hashes are linked to Rafel RAT:

●      d1f2ed3e379cde7375a001f967ce145a5bba23ca668685ac96907ba8a0d29320

●      442fbbb66efd3c21ba1c333ce8be02bb7ad057528c72bf1eb1e07903482211a9

●      344d577a622f6f11c7e1213a3bd667a3aef638440191e8567214d39479e80821

●      c94416790693fb364f204f6645eac8a5483011ac73dba0d6285138014fa29a63

●      9b718877da8630ba63083b3374896f67eccdb61f85e7d5671b83156ab182e4de

●      5148ac15283b303357107ab4f4f17caf00d96291154ade7809202f9ab8746d0b

Command and Control (C2) Servers

The following C2servers are associated with Rafel RAT:

●      districtjudiciarycharsadda.gov[.]pk

●      kafila001.000webhostapp[.]com

●      uni2phish[.]ru

●      zetalinks[.]tech

●      ashrat.000webhostapp[.]com

●      bazfinc[.]xyz

●      discord-rat23.000webhostapp[.]com

 Recommendations for End Users toProtect Against Rafel RAT

1. App Installation Precautions:
• Avoid Third-Party App Stores: Only download and install apps from official app stores like Google Play Store. Avoid third-party or unofficial app stores, as they may host malicious applications.
• Review App Permissions: Before installing any app, carefully review the permissions it requests. If an app requests more permissions than necessary, consider it a red flag and avoid installing it.
2. Security Software:
• Install Antivirus/Anti-malware Apps: Use reputable antivirus or anti-malware apps to scan your device regularly and detect potential threats.
• Keep Security Apps Updated: Ensure that your antivirus or anti-malware apps are always updated to the latest versions to recognize new threats.
3. Update Your Device:
• Regular Software Updates: Keep your device's operating system and apps updated with the latest security patches. Enable automatic updates to ensure you don’t miss important security fixes.
4. Network Security:
• Avoid Public Wi-Fi: Refrain from using public Wi-Fi networks for sensitive activities like online banking or accessing personal accounts. Use a VPN (Virtual Private Network) if you must use public Wi-Fi.
• Secure Your Home Network: Ensure that your home Wi-Fi network is secured with a strong password and encryption (WPA2 or WPA3).
5. Phishing Awareness:
• Be Cautious with Links and Attachments: Do not click on links or download attachments from unknown or suspicious emails, messages, or websites. Verify the sender’s authenticity before taking any action.
• Recognize Phishing Attempts: Learn to identify phishing attempts, such as emails or messages that create a sense of urgency, request personal information, or contain spelling and grammar errors.
6. Device Configuration:
• Enable Device Encryption: Use device encryption to protect your data in case your device is lost or stolen. This can be enabled in the security settings of your device.
• Set Strong Screen Locks: Use strong passwords, PINs, or biometric locks (fingerprint or facial recognition) to secure access to your device.
7. Backup Your Data:
• Regular Backups: Regularly back up important data to a secure cloud service or an external storage device. This ensures you can recover your data if your device is compromised.
8. Behavioral Awareness:
• Monitor Your Device: Be aware of any unusual behavior on your device, such as slow performance, unexpected pop-ups, or apps you didn’t install. These can be signs of malware.
• Check Installed Apps: Periodically review the apps installed on your device and uninstall any unfamiliar or suspicious apps.
9. Use Security Features:
• Enable Google Play Protect: Google Play Protect scans your device for potentially harmful apps and provides alerts. Make sure this feature is enabled in the Play Store settings.
• Activate Find My Device: Enable Google’s Find My Device feature to locate, lock, or wipe your device remotely if it’s lost or stolen.