Among the diverse array of Android malware available on the dark web markets, Rafel RAT stands out as a particularly potent tool for malicious actors. Rafel RAT, an open-source remote administration tool, enables remote access and control over infected Android devices. Its capabilities include surveillance, data exfiltration, persistence mechanisms, and manipulation of device functionalities.

The Relation Between APT-C-35 and Rafel RAT

Recent research by Check Point has uncovered instances of APT-C-35, also known as DoNot Team, leveraging Rafel RAT in their espionage operations. This discovery highlights the tool's versatility and effectiveness across different threat actor profiles and operational objectives. The group has been observed using Rafel RAT to conduct extensive espionage campaigns and targeting high-profile organizations, including those in the military sector. Analysis reveals approximately 120 distinct malicious campaigns associated with Rafel RAT, some of which have successfully targeted prominent organizations globally. Victims primarily hail from the United States, China, and Indonesia, with Samsung, Xiaomi, Vivo, and Huawei being the most affected device brands. Notably, a portion of targeted devices runs on unsupported Android versions, exacerbating security vulnerabilities due to the lack of essential security patches.

Technical Insights and Modus Operandi

Rafel RAT employs sophisticated techniques to evade detection and execute malicious operations discreetly. Upon infiltration, the malware initiates communication with a command-and-control (C&C) server, facilitating remote data exfiltration, surveillance, and device manipulation. Its command set includes capabilities for accessing phone books, SMS messages, call logs, location tracking, and even initiating ransomware operations. Threat actors utilizing Rafel RAT operate through a PHP-based C&C panel, leveraging JSON files for data storage. This streamlined infrastructure enables attackers to monitor infected devices comprehensively, accessing crucial information such as device models, Android versions, geographical locations, and network operator details. Such insights empower threat actors to tailor their malicious activities and campaigns effectively.

Emerging Threats and Mitigation Strategies

As Rafel RAT continues to evolve and proliferate, robust cybersecurity measures become imperative for Android users and enterprises alike. Effective strategies to mitigate risks include deploying comprehensive endpoint protection, staying updated with security patches, educating users about phishing and malware threats, and fostering collaboration across cybersecurity stakeholders. Rafel RAT exemplifies the nature of Android malware, characterized by its open-source nature, extensive feature set, and widespread adoption in illicit activities. Vigilance and proactive security measures are essential to safeguard against its threats, ensuring continued protection of user privacy, data integrity, and organizational security in an increasingly interconnected digital world.

Researchers have discovered a new phishing campaign in which threat actors distribute the Remcos RAT malware within UUEncoding (UUE) file attachments in emails purporting to be about importing or exporting shipments. The UUEncoding (UUE) file attachments are compressed with Power Archiver, a proprietary and cross-platform archive utility that supports both Windows and MacOS.

Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware

Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"] Source: asec.ahnlab.com[/caption] When decoded, the VBS script is obfuscated, making it difficult for researchers to analyze. The script saves a PowerShell script into the %Temp% directory and executes it. The running script then downloads the Haartoppens.Eft file, which executes an additional PowerShell script. This script is also obfuscated and is designed to load a shellcode to the wab.exe process. [caption id="attachment_76666" align="alignnone" width="638"] Source: asec.ahnlab.com[/caption] The shellcode maintains its persistence by adding a registry key to the infected system, and then accesses a remote C&C server to load additional instructions. The instructions ultimately download the Remcos RAT malware for execution on infected systems.

Remcos RAT malware

The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"] Source: asec.ahnlab.com[/caption] Remcos is a commercial remote access tool (RAT) that is advertised as a legitimate tool, but has been observed in numerous threat actor campaigns. Successful loading of Remcos opens a backdoor on targeted systems, allowing for complete control. The researchers have shared the following indicators to help detect and stop this campaign: IOCs (Indicators of Compromise)

• b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
• 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
• fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
• eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)

File Detection

• Downloader/VBS.Agent (2024.05.17.01)
• Data/BIN.Encoded (2024.05.24.00)

C&C (Command & Control) Servers

• frabyst44habvous1.duckdns[.]org:2980:0
• frabyst44habvous1.duckdns[.]org:2981:1
• frabyst44habvous2.duckdns[.]org:2980:0

The researchers also shared the following general recommendations to avoid similar phishing campaigns:

• Refrain from accessing emails from unknown sources.
• Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
•  Update anti-malware engines to their latest versions.

The UUE file format has previously been used in several malicious campaigns due to its ability to easily evade detection from security tools, with a researcher previously discovering a UUEncode vulnerability in the main Python program. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

ValleyRAT, a notorious remote access trojan (RAT) with origins traced back to early 2023, has resurfaced with a vengeance. Designed with the malicious intent to infiltrate and seize control over systems, this Chinese threat actor-backed malware continues to evolve, presenting new challenges to cybersecurity experts worldwide. According to Zscaler ThreatLabz’s research, a new campaign orchestrated by a China-based threat actor unleashed the latest iteration of ValleyRAT. This threat campaign, characterized by its multi-stage approach, utilizes various tactics to ensnare unsuspecting victims.

ValleyRAT and the Intricate Attack Chain

[caption id="attachment_76569" align="alignnone" width="1080"] Source: ValleyRAT Infection Chain[/caption] At the heart of this campaign lies ValleyRAT's intricate attack chain. It begins with an initial stage downloader leveraging an HTTP File Server (HFS) to procure essential files for subsequent stages. Employing anti-virus checks, DLL sideloading, and process injection techniques, the downloader and loader meticulously navigate through defenses, ensuring seamless execution. Understanding the intricacies of this RAT and the makers behind it, the campaign's technical analysis unveils the sophisticated mechanisms employed by ValleyRAT. From XOR and RC4 decryption to dynamic API resolving, every step is meticulously crafted to obfuscate its malicious intentions. The malicious DLLs and shellcodes deployed in subsequent stages further attest to the threat actor's ingenuity. Persistence is key for ValleyRAT's longevity on compromised systems. By manipulating autorun keys and concealing file attributes, the malware ensures its survival, ready to execute its nefarious operations at a moment's notice.

Evolution of ValleyRAT

The latest variant of ValleyRAT boasts significant enhancements. From refined device fingerprinting capabilities to revamped bot ID generation processes, the malware is more adept at blending into its environment and evading detection. Moreover, the introduction of new commands expands its arsenal, empowering threat actors with greater control over infected systems. Mitigating ValleyRAT's threat requires a multi-faceted approach. Leveraging advanced threat detection mechanisms like Zscaler Cloud Sandbox is essential. Additionally, staying vigilant and leveraging threat intelligence to identify and thwart emerging threats is paramount in safeguarding against ValleyRAT's onslaught. As ValleyRAT continues to evolve, so must our defenses. With each iteration, online threats becomes more complex, necessitating proactive measures to counter emerging threats effectively. By staying informed and leveraging cutting-edge cybersecurity solutions, organizations can fortify their defenses and mitigate the risks posed by ValleyRAT and similar threats.

A list of topics we covered in the week of April 1 to April 7 of 2024

Last week on Malwarebytes Labs:

• 60% of small businesses are concerned about cybersecurity threats
• Cookie consent choices are just being ignored by some websites
• Bing ad for NordVPN leads to SecTopRAT
• Jackson County hit by ransomware, declares state of emergency
• Google patches critical vulnerability for Androids with Qualcomm chips
• Google Chrome gets ‘Device Bound Session Credentials’ to stop cookie theft
• AT&T confirms 73 million people affected by data breach
• Trusted Advisor now available for Mac, iOS, and Android
• 2024 State of Malware in Education report: Top 6 cyberthreats facing K-12 and Higher Ed
• Free VPN apps turn Android phones into criminal proxies

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.