Researchers have come across a new Android malware, dubbed AhRAT, based on AhMyth RAT and being distributed via an Android app. While AhMyth was employed by Transparent Tribe (aka APT36) to target government and military organizations in South Asia, there are no clear indicators that AhRAT is created by the same group.

Distribution process

According to ESET researchers, threat actors added malicious functionality in version 1.3.8 of the iRecorder-Screen Recorder app that was made available in August 2022. 
  • This version of the app had over 50,000 downloads before it was removed. 
  • Android users using an earlier version of iRecorder, which was claimed to lack any malicious features, were also likely infected while updating the app to version 1.3.8.

Modus operandi

After installation, AhRat starts communicating with the C2 server by sending basic device information and receiving encryption keys and an encrypted configuration file. 
  • The malware requests a new configuration file every 15 minutes from the C2 server. 
  • This file contains a wide range of commands that enables attackers to extract user data, capture screenshots, record private audios, collect keystrokes, and harvest SMS messages, user location, and file types from systems.

Conclusion

The finding of AhRAT serves as a good example of how an initially legitimate application can be transformed into a malicious application to spy on users and compromise their privacy. Moreover, threat actors have invested a significant amount of time to evolve their evasion tactics, making it harder for security and anti-debug solutions to find the malware easily. Organizations shall use the updated IOCs to understand the attack patterns and implement necessary detection systems.
Cyware Publisher

Publisher

Cyware