Cybercriminals have started attacking old Android devices using open-source malware called Ratel RAT. In fact, this is a type of ransomware program for Android that encrypts or deletes data, locks the device, and demands payment in Telegram.
Researchers from Check Point report the discovery of more than 120 campaigns using Ratel RAT. Attack sources include APT-C-35 (DoNot Team), Iran, and Pakistan. Hackers target high-profile organizations, especially in government and military sectors, with the majority of victims from the US, China, and Indonesia.
In most cases of infection verified by Check Point, victims were using an Android version that had reached the end of its support cycle and was no longer receiving security updates. This applies to Android 11 and older versions, which account for over 87.5% of infected devices. Only 12.5% of infected devices are running on Android 12 or 13. Victims include smartphones from various brands, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, as well as devices from OnePlus, Vivo, and Huawei. This proves that Ratel RAT is an effective attack tool on a variety of Android implementations.
Ratel RAT is distributed in various ways. Usually, cybercriminals use Instagram, WhatsApp, e-commerce platforms, antivirus applications to trick people into downloading malicious APK files. During installation, the ransomware requests access to risky permissions to operate in the background.
Ratel RAT has several variants that differ in the list of commands they support. They usually perform the following:
- ransomware: initiates the process of encrypting files on the device.
- wipe: deletes all files at the specified path.
- LockTheScreen: locks the device screen, making it unusable.
- sms_oku: leaks all SMS (and 2FA codes) to the command and control (C2) server.
- location_tracker: sends the current location of the device to the C2 server.
Actions are controlled from a central panel, where cybercriminals can access information about the device and its status and make decisions about the next steps of the attack.
According to Check Point's analysis, in approximately 10% of cases, a command was issued to deploy the ransomware. In this case, the victim's smartphone undergoes file encryption using a pre-defined AES key, after which the hackers demand a ransom.
By gaining DeviceAdmin rights, the ransomware program gains control over key device functions, such as the ability to change the lock screen password and add a special message to the screen, often a ransom message. If the user tries to revoke admin rights, the ransomware can react by changing the password and immediately locking the screen.
Check Point researchers observed several ransomware operations involving Ratel RAT, including an attack from Iran. The malware conducted reconnaissance using other Ratel RAT capabilities, then initiated the encryption module. The attacker deleted call history, changed wallpapers to display a special message, locked the screen, activated device vibration, and sent an SMS with a ransom message. In the message, the victim was instructed to send them a message on Telegram to "resolve this issue."
To defend against Ratel RAT attacks, it is advisable to avoid downloading APKs from questionable sources, not click on URLs embedded in emails or SMS, and scan applications with Play Protect before launching them.
Source: bleepingcomputer
Comments (0)
There are no comments for now