Outdated phones infected with Rafel RAT can allow threat actors to access, encrypt, and exfiltrate sensitive user information.
Outdated Android devices are being targeted by novel, targeted malware “Rafel RAT” to steal data and, sometimes, carry out ransomware attacks, according to a CheckPoint research.
As many as 120 campaigns, including high-profile targets in the military sector, have been observed by CheckPoint researchers with a reported global span, especially in the US, China, and Indonesia.
“Rafel RAT is an open-source malware tool that operates stealthily on Android devices,” said CheckPoint researchers. “It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation.”
[Related reading: From pranks to APTs: How remote access Trojans became a major security threat ]
The malware campaigns have been designated “high risk” as they allow remote access and exfiltration on victim devices and can also allow secondary lateral movements within key, high-profile organizations.
Malware can access SMS, call logs, and contacts
Rafel, according to the research, was designed specifically for phishing campaigns that exploited manipulated user interactions to obtain necessary permissions.
“Our investigation uncovered numerous phishing operations utilizing this specific malware variant,” researchers added. “Under the guise of legitimate entities, the malware impersonates multiple widely recognized applications, including Instagram, WhatsApp, various e-commerce platforms, antivirus programs, and support apps for numerous services.”
However, over time, the malware has been used for evolved campaigns such as requesting permissions for notifications, device admin rights, or even stealthily seeking minimal sensitive permissions such as SMS, Call Logs, and Contacts.
The malware, as observed till now, configures a C2 (command and control) panel which allows a set of invasive operations including access to information such as device model, version, country, sim operator, current charge level, language, running applications, and RAM details, among others.
“The Check Point Research (CPR) report on the Rafel RAT provides a detailed analysis of the current threat landscape, but several broader implications merit further attention,” said Callie Guenther, senior manager, of cyberthreat research at Critical Start. The exploitation of outdated Android versions highlights significant supply chain vulnerabilities, as manufacturers and carriers often fail to provide timely updates, leaving millions of devices exposed to threats like Rafel.
While a majority of the Rafel victims were using Samsung phones, Xiaomi, Vivo, and Huawei phones also charted a substantial share of infected devices.
Adds a ransomware module
Apart from info-stealing, the malware was also found to have, in some modified versions, a ransomware module that operated features for executing an extortion scheme.
“When malware obtains DeviceAdmin privileges, it can alter the lock-screen password,” the researchers noted. “In addition, leveraging device admin functionality aids in preventing the malware’s uninstallation. If a user attempts to revoke admin privileges from the application, it promptly changes the password and locks the screen, thwarting any attempts to intervene.”
This, along with an encryption functionality using AES encryption, allows for a successful ransomware deployment. “Check Point Research identified a ransomware operation performed using Rafel RAT,” researchers added. The threat actor, identified as from Iran, used a ransom note in the form of an SMS message written in Arabic as shared on a Telegram channel to further dialogue.
Use in nation-state offense
In addition to the preceding use cases, the malware has also been used in nation-state offenses, according to CheckPoint. “In one recent case, we identified a threat actor who managed to hack a government website from Pakistan,” the research firm said.
Hacker @LoaderCRazy published the hack on @EgyptHackerTeam Telegram channel, on May 18, 2024, presumably a year after the hack actually happened.
Additionally, the CheckPoint team was able to connect some campaigns being carried out by APT-C-35 (aka DoNot Team) using the Rafel malware. The threat actor is a known nation-state offender with Pakistan and other South Asian countries as its prime targets.
“Rafel’s features and capabilities, such as remote access, surveillance, data exfiltration, and persistence mechanisms, make it a potent tool for conducting covert operations and infiltrating high-value targets,” the researchers added.
While CheckPoint shared a list of indicators of compromise (IoCs) and C2 domains for users to watch out for, it also advised using effective malware detection solutions for blocking the download of malicious apps in real time.
“The diverse use cases of Rafel RAT — from espionage to ransomware — indicate that future exploitation trends may continue to diversify, making it essential to understand and anticipate these trends for developing proactive defense strategies,” said Critical Start’s Guenther.
