Is your Mobile Protected from CraxRAT?

Lets get straight to POC first…

Attack Vector

1. CraxRAT Dashboard

Below screenshot shows the dashboard after the attacker logged in to CraxRAT from desktop.

2. Compiling Malicious Apk Payload

First the malicious payload should be generated as of the victims and attacker’s host architecture such as host, port, build signature, RASP protection, Bind services, permissions etc.

Note: The malicious build should be signed V1 or V2 to authenticate android RASP checks by the Operating System. Not every Android versions has application security scanners but for the later versions. It is mandatory to run virus scanners before the application installations.

Note: Re-sign the payload version if first signature does not support to the build.

After the malicious payload been seeded , attacker gets the channel establishment with admin rights to control remotely with CraxRAT.

Payload configuration (1)

Payload configuration (2)

Payload configuration (3)

Payload configuration (4)

3. Victim APK deployment

After the `ready.apk` file has been transferred, a screen will pop up asking the user for full access permissions. As shown in the screenshot below, once the victim clicks on the top right button, the exploit will authenticate the certificates and bypass the security checks. This allows the malicious software to gain the necessary permissions to execute its payload without raising any immediate alarms to the user.

User pop-up to permit full access

4. Successful attack

After the Apk executed successfully, attacker will see the device in his device under the ‘clients’.

Attack Types

Below you can see some of the functionalities after the RAT established successfully.

1. Remote File Monitor/Control

2. Remote Screen Monitor/Control

3. Remote Camera Monitor/Control

4. Remote Keylogger Monitor/Control

5. Remote Craxs Browser Control

CraxRAT Functionalities

1. Remote File Monitor/Control
2. Remote Screen Monitor/Control
3. Remote Camera Monitor/Control
4. Remote Microphone Monitor/Control
5. Remote Keylogger Monitor/Control
6. Remote Craxs Browser Control
7. Remote Audio Clicker Control
8. Remote Quick Link Opener Control
9. Remote Account Monitor/Control
10. Remote Clipboard Monitor/Control
11. Remote Calls Monitor/Control
12. Remote Applications Monitor/Control
13. Remote SMS MonitorControl
14. Remote Contact Monitor/Control
15. Remote Location Monitor/Control

Overview

What is CraxRat?

CraxRAT is a Remote Access Trojan which allows an attacker to take over the full control of a remote device. This trojan is only affective for Android devices and most of the security checks can be bypassed depends on users application accessibilities. The RAT establishes C2 (Command and Control) channel between the CraxRAT server and victim in order to communicate. CraxRAT uses a set of built-in commands and have methods to hide their C2 traffic from the victim’s security implementations.

RASP bypasses are rare but it takes major threat when comes to bank applications. Critical user information could be leaked and user accounts can be remotely accessible by using CraxRAT just to bypass RASP.

Origin of CraxRAT

A threat actor operating from Syria has recently emerged, known for deploying CraxsRAT, a malicious software specifically targeting Android devices. This malware is part of a broader trend where the EVLF DEV group has introduced Malware as a Service (MaaS), allowing other cybercriminals to easily acquire and deploy such malicious tools. Coinciding with the release of CraxsRAT, the market has also seen the introduction of CypherRAT, highlighting a significant escalation in the capabilities and availability of advanced malware targeting Android systems.

Industrial Awareness

CraxRAT, a robust and formidable tool, poses significant risks particularly when deployed against banking applications. Its capabilities make it a dangerous weapon in the hands of malicious entities, exploiting vulnerabilities to gain unauthorised access to sensitive financial data. Alarmingly, many application developers remain unaware of the threats posed by Remote Access Trojans (RATs), such as CraxRAT, leaving systems inadequately protected. Consequently, a substantial number of bank accounts have been compromised due to the failure to implement essential security measures, underscoring the urgent need for increased awareness and enhanced protective protocols within the banking industry.

Most Runtime Application Self-Protection (RASP) services currently lack sensitivity to threats like CraxRAT, largely remaining ineffective until developers explicitly recognise and flag this specific type of cyber threat. This gap in detection underscores a critical vulnerability, as CraxRAT can continue to infiltrate and compromise banking applications undetected, leading to potential financial losses and breaches of customer trust. The need for developers to be educated about such sophisticated threats and to integrate more comprehensive detection mechanisms into RASP services is more urgent than ever to safeguard sensitive financial data.

Common challenges to exploit the Target

1. CraxRAT should be running either in public server or the remote host should be connected to the same network with the attacker. It is challenging for an attacker to transfer the exploitable apk to the victim’s device, specially there is a network level Security implementations.
2. Passing the exploitable apk to the victim’s device without any active contact. Attackers use different methods to seed the exploitable payload to the victim such as Injections, Phishing, Whaling, Social engineering etc.
3. Bypassing OS lever security checks such as trusted certificate, RASP check and build content checks. By default Android has default security checks before installing an application out from Google Play. Within that it is challenging to get super user access through the exploitable payload.

CraxRAT Capabilities

Simplifying:

1. Command and Control

2. Dropper

3. Defence Evasion

4. Obfuscation

5. Persistance

6. Credential Harvesting/Monitoring

In the realm of cybersecurity, a sophisticated attack often involves multiple tactics to ensure its success and longevity. One crucial element is Command and Control (C2), which enables attackers to maintain communication with compromised systems. The initial intrusion often involves a dropper, a type of malware designed to install other malicious payloads onto the target system. To avoid detection, attackers employ various Defence Evasion techniques, including Obfuscation, which masks the true nature of the malicious code. Persistence is another critical aspect, ensuring the malware remains active on the system despite reboots or attempts to remove it. Additionally, attackers engage in Credential Harvesting and Monitoring, collecting sensitive information such as usernames and passwords to facilitate further exploitation and maintain long-term access to the compromised environment.

What is Runtime Application Self-Protection (RASP)

RASP focuses on safeguarding a specific application rather than offering broad network or endpoint defenses. It is targeted deployment allows RASP to closely monitor the inputs, outputs, and internal workings of the protected application. With RASP in place, developers gain insight into potential vulnerabilities within their applications. Moreover, the solution can thwart exploitation attempts aimed at existing vulnerabilities in deployed applications.

RASP services in current market

1. Imperva RASP

2. Contrast Security

3. Appdome

4. OneSpan RASP

5. Waratek

6. Veracode

7. Micro Focus Fortify

Remediation

To effectively remediate the risks posed by CraxRAT, a multi-faceted approach is essential. First and foremost, enhancing mobile application security through proper signature validations is crucial; this ensures that all applications are verified and trustworthy. Implementing a reputable Runtime Application Self-Protection (RASP) tool can further shield applications by actively preventing real-time attacks. Additionally, integrating robust Trojan detection mechanisms is vital for identifying and mitigating malicious software before it can cause harm. Beyond these technical defenses, it is important to move away from default security settings in mobile devices, opting instead to harden these settings based on tailored security needs. Adherence to established security best practices provides a foundational layer of protection, reinforcing the overall security posture. Finally, educating employees about cyber risks empowers them to recognise potential threats and respond appropriately, making them a proactive part of the defense strategy against cyber threats like CraxRAT. Together, these steps form a comprehensive defense framework that significantly enhances organisational resilience against cyber attacks.

Conclusion

This tool has already hit the market and has become a profitable venture by facilitating online sales and also by being utilized by threat actors. These actors leverage the tool to efficiently carry out social engineering tactics. Due to its robust and user-friendly nature, it poses a significant risk to various sectors, including banking, healthcare, and insurance. It is essential for RASP services to implement robust detection systems to counteract RATs or any unauthorised overlays on primary applications. From my experience, unnoticed cyber threats are increasingly impacting industries, leading to major data breaches including personal information leaks, hijacking of bank accounts, and circumvention of two-factor authentication. Prominent threat actors distribute these tools via emails, Telegram channels, Discord, and use cryptocurrency for transactions to conceal their financial trails. Following the ban of the original tool, only pirated versions are available, with various vendors offering different versions for purchase.

Thank you

See you in another knowledge sharing ….