HQ/EMEAFind out how we can help your business
Multiple cybercrime operators use the open-source malware called Rafel RAT to attack and infect outdated devices. Some of these threat actors are attempting to lock these devices with a ransomware module that demands payment over Telegram.
Researchers revealed that some of these activities are orchestrated by the notorious DoNot team and other unnamed threat actors that operate in Pakistan and Iran. A recent report also claims that this campaign has already targeted high-profile entities, such as the military and government agencies in the US and China.
Rafel RAT campaigns have mostly targeted EoL Android devices.
Most of the campaign’s victims are using Android devices that have already reached their end of life (EoL). This means that the impacted devices are no longer receiving security upgrades, leaving them susceptible to known exploits.
Targeted brands and models include the Google Pixel, Xiaomi Redmi, Samsung Galaxy, Motorola One, OnePlus, Vivo, and Huawei handsets. These attacks show the sophistication of Ratel RAT, allowing it to be an efficient attack tool against various Android implementations.
Furthermore, Rafel RAT is disseminated through various channels, but researchers commonly find threat actors exploiting well-known brands such as Instagram, WhatsApp, e-commerce platforms, and antivirus software to deceive users into downloading malicious APKs.
During installation, the RAT demands access to risky permissions, such as the exemption from battery optimisation, so it can still operate in the background.
On the other hand, the ransomware module in Rafel RAT is meant to carry out extortion attacks by gaining control of the victim’s device and encrypting their data with a pre-defined AES key.
If DeviceAdmin rights are achieved on the device, the ransomware gets control of critical device functionalities, such as the ability to modify the lock-screen password and display a custom message, typically the ransom note.
Next, the ransomware will quickly change the password and lock the screen if the user attempts to remove the admin access. Hence, Android users, especially those using outdated devices, should avoid downloading APKs from suspicious sources, not clicking on URLs included in emails or SMS, and scan apps with Play Protect to safeguard against these attacks.
