🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
CloudSEK’s latest investigation uncovers how APT36 (aka Transparent Tribe) is using VPS provider Contabo to host malicious infrastructure linked to CapraRAT and Crimson RAT. One of their latest tactics? Disguising spyware as the popular messaging app Viber—armed with permissions to record calls, read messages, track location, and more. Read how we traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign.
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoOver the years, we have observed that APT36 prefers to use the hosting and DNS services provided by Contabo, a large VPS hosting provider. Almost a year ago, S1 released a report on APT36 attempting to deliver CapraRAT to their victims. CapraRAT is known to be a modified version of the open-source AndroRAT.
In addition to android users, APT36 has had Crimson RAT in its arsenal for a long time, for targeting Windows users. Using this information, we ran a Censys query to find out any CrimsonRAT infrastructure using Contabo’s hosting/DNS services.
To validate if this belongs to APT36, we checked virustotal for any overlaps with Transparent Tribe TTPs.
Our first IP has been marked as a Crimson RAT C2 on Virustotal. It is important to note that this ASN(40021) has often been used by APT36 in the past for conducting malware operations.
Moving on to the second IP:
This one has comparatively lesser detections in the wild.
Upon checking communicating files, we noticed a few malicious APKs communicating with the IP. Virustotal quickly confirmed that these were CapraRAT payloads.
2 out of the 3 malicious android APKs were found to have the package name “com.moves.media.tubes”
The same package name was mentioned in Transparent Tribe campaigns from 2023. Source
The third sample(md5:f73f1a694d2a5c7e6d04fbc866a916bd) was found to impersonate a popular VoIP and IM application known as Viber.
High-Risk Permissions:
Location Tracking:
Device Access:
Diamond Model
APT36, also known as Transparent Tribe, employs social engineering tactics to distribute their Android Remote Access Trojans (RATs). These lures are crafted to align with the theme of the RAT's disguise.
Impact
#Traffic Light Protocol - Wikipedia
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
6
min read
CloudSEK’s latest investigation uncovers how APT36 (aka Transparent Tribe) is using VPS provider Contabo to host malicious infrastructure linked to CapraRAT and Crimson RAT. One of their latest tactics? Disguising spyware as the popular messaging app Viber—armed with permissions to record calls, read messages, track location, and more. Read how we traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign.
Over the years, we have observed that APT36 prefers to use the hosting and DNS services provided by Contabo, a large VPS hosting provider. Almost a year ago, S1 released a report on APT36 attempting to deliver CapraRAT to their victims. CapraRAT is known to be a modified version of the open-source AndroRAT.
In addition to android users, APT36 has had Crimson RAT in its arsenal for a long time, for targeting Windows users. Using this information, we ran a Censys query to find out any CrimsonRAT infrastructure using Contabo’s hosting/DNS services.
To validate if this belongs to APT36, we checked virustotal for any overlaps with Transparent Tribe TTPs.
Our first IP has been marked as a Crimson RAT C2 on Virustotal. It is important to note that this ASN(40021) has often been used by APT36 in the past for conducting malware operations.
Moving on to the second IP:
This one has comparatively lesser detections in the wild.
Upon checking communicating files, we noticed a few malicious APKs communicating with the IP. Virustotal quickly confirmed that these were CapraRAT payloads.
2 out of the 3 malicious android APKs were found to have the package name “com.moves.media.tubes”
The same package name was mentioned in Transparent Tribe campaigns from 2023. Source
The third sample(md5:f73f1a694d2a5c7e6d04fbc866a916bd) was found to impersonate a popular VoIP and IM application known as Viber.
High-Risk Permissions:
Location Tracking:
Device Access:
Diamond Model
APT36, also known as Transparent Tribe, employs social engineering tactics to distribute their Android Remote Access Trojans (RATs). These lures are crafted to align with the theme of the RAT's disguise.
Impact
#Traffic Light Protocol - Wikipedia