Transparent Tribe is Still Active

12703603066?profile=RESIZE_400xTransparent Tribe (aka APT 36, Operation C-Major) has been active since at least 2016 with attacks against Indian government and military personnel.  The group relies heavily on social engineering attacks to deliver a variety of Windows and Android spyware, including spear-phishing and watering hole attacks.

In September 2023, SentinelLabs outlined the CapraTube campaign, which used weaponized Android applications (APK) designed to mimic YouTube, often in a suspected dating context due to the nature of the videos served.  The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximize the spyware’s compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android.[1]

New CapraRAT APKs:

SHA-1

c307f523a1d1aa928fe3db2c6c3ede6902f1084b

App Name

Crazy Game signed.apk

Package Name

com.maeps.crygms.tktols

SHA-1

dba9f88ba548cebfa389972cddf2bec55b71168b

App Name

Sexy Videos signed.apk

Package Name

com.nobra.crygms.tktols

 

SHA-1

28bc3b3d8878be4267ee08f20b7816a6ba23623e

App Name

TikTok signed.apk

Package Name

com.maeps.vdosa.tktols

SHA-1

fff24e9f11651e0bdbee7c5cd1034269f40fc424

App Name

Weapons signed.apk

Package Name

com.maeps.vdosa.tktols


12703603252?profile=RESIZE_584xNew CapraRAT app logos

The new versions of CapraRAT each use WebView to launch a URL to either YouTube or a mobile gaming site, CrazyGames[.]com.  There is no indication that an app with the same name, Crazy Games, is weaponized as it does not require several key CapraRAT permissions, such as sending SMS, making calls, accessing contacts, or recording audio and video.  The URL query in the CapraRAT code is obfuscated as htUUtps://www.youUUtube.com/resulUUts?seUUarch_quUUery=TiUUk+ToUUks, which is cleaned to remove occurrences of UU, resulting in https[:]//www.youtube[.]com/results?search_query=Tik+Toks.


12703603291?profile=RESIZE_584xURL deobfuscation and loading performed by CapraRAT’s load_web method Decompiled view of load_web method

12703604271?profile=RESIZE_710x

Decompiled view of load_web method

The previous CapraTube campaign had one APK, Piya Sharma, likely used in a romance-themed social engineering pretext.  The new campaign continues that trend with the Sexy Videos app.  While two of the previously reported apps launched only YouTube with no query, the YouTube apps from this campaign are each preloaded with a query related to the application’s theme.  The TikTok app launched YouTube with the query “Tik Toks,” and the Weapons app launched the Forgotten Weapons YouTube channel, which reviews a variety of classic arms and has 2.7 Million subscribers.


12703603864?profile=RESIZE_400xTikTok and Weapons-themed CapraRAT YouTube WebView

The Crazy Games app launches WebView to load CrazyGames[.]com, a site containing in-browser mini games.  This particularly resource-intensive site did not work well on older versions of Android during our testing.


12703605098?profile=RESIZE_400xCrazy Games CapraRAT WebView

When the app first launches, the user is prompted to grant several risky permissions, including:

  • Access GPS location
  • Manage network state
  • Read and send SMS
  • Read contacts
  • Record audio and screen, take screenshots
  • Storage read and write access
  • Use camera
  • View call history and make calls

In contrast with the previous CapraRAT campaign, the following Android permissions are no longer requested or used:

  • READ_INSTALL_SESSIONS
  • GET_ACCOUNTS
  • AUTHENTICATE_ACCOUNTS
  • REQUEST_INSTALL_PACKAGES

The reduction in permissions suggests the app developers are focused on making CapraRAT a surveillance tool more than a fully featured backdoor.

App Compatibility—The most significant change between this campaign and the September 2023 campaign is app compatibility. The newest CapraRAT APKs identified now contain references to Android’s Oreo version (Android 8.0), which was released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), released in 2015 and less likely to be compatible with modern Android devices.

Sentinel tested the APKs from this campaign and the September 2023 campaign on an Android device running Android Tiramisu, aka Android 13 (2022) and Android 14 (2023). The new campaign’s apps ran smoothly on this modern version of Android.  The September 2023 campaign apps prompted a compatibility warning dialog, which could raise suspicion among victims that the app is abnormal.  When running on the newest version of Android 14, the September 2023 campaign’s Piya Sharma app fails to install.  Each of the newer versions ran successfully.

In all cases, the app still requests gratuitous permissions from the user that hint to the tool’s capabilities.  Even if the user declines permissions, the app still runs, meaning the group has not overcome this hurdle to successfully implement their spyware.


12703605476?profile=RESIZE_400xPiya Sharma app install failure dialog on Android 14

The new CapraRAT packages also contain a very minimal new class called WebView, which is responsible for maintaining compatibility with older versions of Android via the Android Support Library, which developers can choose to include in a project to enhance compatibility.

Spyware Activities and C2 - The app’s MainActivity initiates requests for permissions. The app still runs even if permissions are not granted.  MainActivity calls the TCHPClient class, which contains the malicious capabilities leveraged by CapraRAT. This class drives several spyware classes and methods, including:

  • audioStreamer(aStreamer)
  • CallLogLister
  • CallReceiver
  • ContactsLister
  • DirLister(file browsing)
  • downloadFile
  • killFile(file deletion)
  • killProcess
  • PhotoTaker
  • SMSLister
  • SMSReceiver

These give the spyware fine-grained control over what the user does on the device.

The sendData method is responsible for constructing the data collected by other methods and classes and sending it to the C2.  The mRun method constructs the socket and sends the data to the C2 server using the variables specified in the Settings class.  Each of the current campaign’s APKs uses the same C2 server hostname, IP address, and TCP port number 18582.  The Settings class also shows the same CapraRAT version identifier for each APK, A.D.0.2.

12703606068?profile=RESIZE_400xmRun performs a connectivity check to decide whether to connect to the C2 using the hostname shareboxs[.]net or the hardcoded IP address 173[.]249[.]50[.]243.  This IP address has been tied to Transparent Tribe’s CrimsonRAT and AhMyth Android RAT C2 activity since at least 2022. As of this writing, shareboxs[.]net resolves to 173[.]212[.]206[.]227.

Conclusion - The updates to the CapraRAT code between the September 2023 and current campaigns are minimal but suggest the developers are focused on making the tool more reliable and stable.  The decision to move to newer versions of the Android OS is logical and likely aligns with the group’s sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop, released 8 years ago.  The APK theme updates show the group continues to lean into its social engineering prowess to gain a wider audience of targets interested in the new app lures, such as mobile gamers or weapons enthusiasts.

To help prevent compromise by CapraRAT and similar malware, users should continually evaluate the permissions requested by an app to determine if they are necessary.  For example, an app that only displays TikTok videos does not need the ability to send SMS messages, make calls, or record the screen.  In incident response scenarios, treat the related network indicators of compromise as suspect, including port 18582, and search suspect apps for the presence of strings using the unique method names outlined in this report's Spyware Activities & C2 section.

Indicators of Compromise

Files

SHA1

Name

28bc3b3d8878be4267ee08f20b7816a6ba23623e

TikTok signed.apk

c307f523a1d1aa928fe3db2c6c3ede6902f1084b

Crazy Game signed.apk

dba9f88ba548cebfa389972cddf2bec55b71168b

Sexy Videos signed.apk

fff24e9f11651e0bdbee7c5cd1034269f40fc424

Weapons signed.apk

Network Indicators

Domain/IP

Description

shareboxs[.]net

C2 domain

173[.]212[.]206[.]227

Resolved C2 IP address, hosts shareboxs.net

173[.]249[.]50[.]243

Hardcoded failover C2 IP address

 

This article is shared at no charge and is for educational and informational purposes only.

We want to thank Sentinel Labs for this malware analysis.  Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!