Beware! CSHARP-STREAMER Malware Targeting Windows Users

Transparent Tribe, a Pakistani threat actor group, has been targeting Indian government and military personnel since at least 2016 using social engineering tactics, by delivering various spyware, including spear-phishing and watering hole attacks, on both Windows and Android devices. 

In September 2023, a campaign leveraging weaponized Android applications mimicking YouTube was identified, possibly targeting users seeking dating content. Their latest activity indicates continued use of social engineering with updated lures while modifying their malware to maintain compatibility with older Android versions and expand to newer ones. 

Four new Android Package Kits (APKs) containing CapraRAT malware have been discovered, which are disguised as popular apps (Crazy Game, Sexy Videos, TikTok, and Weapons) and target mobile gamers, weapons enthusiasts, and TikTok fans. 

The malware, a modified version of AndroRAT, uses WebView to open seemingly legitimate URLs but, in reality, steals user data, including location, contacts, audio recordings, and video recordings. The new CapraRAT variants are compatible with modern Android devices (Android 8.0 and above), unlike previous versions. 

They use WebView to launch obfuscated URLs to either YouTube or a gaming site involving replacing letters with uppercase UUs. 

Decoded URLs include YouTube searches for “Tik Toks” or the Forgotten Weapons channel, depending on the app theme (e.g., TikTok or Weapons), which builds on prior social engineering tactics where app themes like “Sexy Videos” or fake names like “Piya Sharma” are used to lure victims.  

The Crazy Games app utilizes WebView to launch a resource-demanding website hosting in-browser mini games, which caused performance issues on older Android versions during tests.  

The app requests several high-risk permissions upon launch, including location access, network control, SMS/contact management, audio/screen recording, storage access, camera use, call history viewing, and call initiation. 

The removal of permissions used for app installation and account manipulation in previous CapraRAT campaigns suggests a shift in focus by the developers, prioritizing the app’s functionality as a surveillance tool over a fully-fledged backdoor. 

Compatibility of the App:

The latest CapraRAT malware targets a wider range of Android devices by updating its app compatibility, and compared to the previous version targeting Lollipop (Android 5.1), the new CapraRAT can run on modern devices like Android 13 and 14. 

This update likely leverages the Android Support Library within a new WebView class to ensure compatibility across versions, while the malware still relies on requesting excessive permissions, which can raise suspicion even if users decline them. 

According to Sentinel Lab, the CapraRAT spyware app, disguised in various forms, requests permissions but functions regardless, and the TCHPClient class within the MainActivity calls upon spyware functionalities like audio recording, contact listing, file browsing, and SMS monitoring. 

Following that, the Settings class’s sendData method sends the collected data to the C2 server, and all identified CapraRAT variants share a common C2 server with hostname “shareboxs.net” (IP: 173.212.206.227) or a fallback IP (173.249.50.243) linked to Transparent Tribe’s past RAT activities. 

Also Read:

• Attention AWS Users: Malicious npm Package Mimics Legitimate Tools
• Hackers Exploit Dropbox & Google Docs to Unleash Devastating Orcinius Malware