多个威胁行为者使用开源Rafel RAT针对Android设备

Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps.

多个威胁行为者，包括网络间谍组织，正在利用一个名为Rafel RAT的开源安卓远程管理工具来达到他们的运营目标，伪装成Instagram、WhatsApp以及各种电子商务和杀毒软件。

"It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week.

Check Point在上周发布的一篇分析中表示:"Rafel RAT为恶意行为者提供了一个强大的远程管理和控制工具包，从数据窃取到设备操控，能够进行一系列恶意活动。"

It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware.

它拥有各种功能，比如擦除SD卡、删除通话记录、窃取通知，甚至可以充当勒索软件。

The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads.

The campaign, which took place in April 2024, is said to have utilized military-themed PDF lures to deliver the malware.

该活动据称发生在2024年4月，据说利用军事主题的PDF诱饵传送恶意软件。

Check Point said it identified around 120 different malicious campaigns, some targeting high-profile entities, that span various countries like Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S.

Check Point表示，他们发现了大约120个不同的恶意活动，有些针对高调实体，跨越澳大利亚、中国、捷克、法国、德国、印度、印度尼西亚、意大利、新西兰、巴基斯坦、罗马尼亚、俄罗斯和美国等多个国家。

"The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users comprising the second-largest group among the targeted victims," it noted, adding no less than 87.5% of the infected devices are running out-of-date Android versions that no longer receive security fixes.

它指出，大多数受害者使用三星手机，小米、Vivo和华为用户占据被攻击受害者的第二大群体，至少87.5%的受感染设备运行的是不再接收安全修复的过时安卓版本。

Typical attack chains involve the use of social engineering to manipulate victims into granting the malware-laced apps intrusive permissions in order to hoover sensitive data like contact information, SMS messages (e.g., 2FA codes), location, call logs, and the list of installed applications, among others.

典型的攻击链包括利用社会工程学，诱使受害者授予携带恶意软件的应用程序侵入性权限，以便获取敏感数据，如联系信息、短信（例如2FA代码）、位置、通话记录以及已安装应用程序列表等。

Rafel RAT primarily makes use of HTTP(S) for command-and-control (C2) communications, but it can also utilize Discord APIs to contact the threat actors. It also comes with an accompanying PHP-based C2 panel that registered users can leverage to issue commands to compromised devices.

Rafel RAT主要使用HTTP(S)进行命令和控制（C2）通信，但也可以利用Discord API与威胁行为者联系。它还配备了一个基于PHP的C2面板，注册用户可以利用该面板向受感染设备发布命令。

The tool's effectiveness across various threat actors is corroborated by its deployment in a ransomware operation carried out by an attacker likely originating from Iran, who sent a ransom note written in Arabic through an SMS that urged a victim in Pakistan to contact them on Telegram.

该工具在各种威胁行为者中的有效性由它在一次勒索软件行动中的部署所证实，由一个可能来自伊朗的攻击者进行，通过一条阿拉伯文写的短信发送了一个勒索信息，敦促巴基斯坦的受害者在Telegram上联系他们。

"Rafel RAT is a potent example of the evolving landscape of Android malware, characterized by its open-source nature, extensive feature set, and widespread utilization across various illicit activities," Check Point said.

Check Point表示:"Rafel RAT是Android恶意软件不断演变的一个有力例证，其特点是开源性质、广泛的功能集和在各种非法活动中的广泛应用。"

"The prevalence of Rafel RAT highlights the need for continual vigilance and proactive security measures to safeguard Android devices against malicious exploitation."

Check Point表示:"Rafel RAT的普遍存在凸显了对Android设备持续保持警惕和采取积极安全措施以防范恶意利用的必要性。"

参考资料

[1]https://thehackernews.com/2024/06/iranian-hackers-deploy-rafel-rat-in.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：多个威胁行为者使用开源Rafel RAT针对Android设备