Over the years, we have observed that APT36 prefers to use the hosting and DNS services provided by Contabo, a large VPS hosting provider. Almost a year ago, S1 released a report on APT36 attempting to deliver CapraRAT to their victims. CapraRAT is known to be a modified version of the open-source AndroRAT. 

In addition to android users, APT36 has had Crimson RAT in its arsenal for a long time, for targeting Windows users. Using this information, we ran a Censys query to find out any CrimsonRAT infrastructure using Contabo’s hosting/DNS services.

To validate if this belongs to APT36, we checked virustotal for any overlaps with Transparent Tribe TTPs.

‍

Our first IP has been marked as a Crimson RAT C2 on Virustotal. It is important to note that this ASN(40021) has often been used by APT36 in the past for conducting malware operations.

Moving on to the second IP:

‍

This one has comparatively lesser detections in the wild.

‍

Upon checking communicating files, we noticed a few malicious APKs communicating with the IP. Virustotal quickly confirmed that these were CapraRAT payloads. 

2 out of the 3 malicious android APKs were found to have the package name “com.moves.media.tubes”

‍

The same package name was mentioned in Transparent Tribe campaigns from 2023. Source

The third sample(md5:f73f1a694d2a5c7e6d04fbc866a916bd) was found to impersonate a popular VoIP and IM application known as Viber.

‍

High-Risk Permissions:

• android.permission.PROCESS_OUTGOING_CALLS - Call control/redirect
• android.permission.RECORD_AUDIO - Audio recording
• android.permission.READ_SMS - Read text messages
• android.permission.RECEIVE_SMS - Intercept incoming SMS
• android.permission.CAMERA - Camera access
• android.permission.READ_CONTACTS - Contact data access
• android.permission.READ_CALL_LOG - Call history access

Location Tracking:

• android.permission.ACCESS_FINE_LOCATION - Precise GPS location
• android.permission.ACCESS_COARSE_LOCATION - Approximate location

Device Access:

• android.permission.READ_PHONE_STATE - Phone state/device info
• android.permission.AUTHENTICATE_ACCOUNTS - Account management
• android.permission.WRITE_EXTERNAL_STORAGE - Storage write access
• android.permission.INTERNET - Network access

‍

Diamond Model

‍

Delivery Method

APT36, also known as Transparent Tribe, employs social engineering tactics to distribute their Android Remote Access Trojans (RATs). These lures are crafted to align with the theme of the RAT's disguise.

‍

‍

‍Impact

• Targeted Surveillance: Victims who install the fake Viber APK are exposed to extensive spying capabilities, including microphone access, location tracking, and message interception.
• Credential Theft Risk: The malware can harvest sensitive user data, potentially including login credentials, personal messages, and contact lists.
• Infrastructure Abuse: The continued use of common VPS providers like Contabo allows attackers to quickly spin up new malicious infrastructure, complicating takedown efforts.
• Brand Trust Erosion: Impersonation of trusted apps like Viber undermines user confidence in legitimate communication platforms.

‍

Mitigations

• App Source Verification: Encourage users to install apps only from trusted sources like the Google Play Store and avoid downloading APKs from unknown websites.
• Mobile Threat Detection: Deploy mobile threat defense (MTD) solutions that can detect spyware behaviors, including unusual permission usage or network communication patterns.
• User Awareness Campaigns: Educate users about impersonation threats, especially around messaging apps, and how to recognize suspicious installation prompts or app behavior.

References

• *Intelligence source and information reliability - Wikipedia

^#Traffic Light Protocol - Wikipedia

‍