Rafel RAT targets outdated Android phones in ransomware attacks

Rafel RAT targets outdated Android phones in ransomware attacks

June 24, 2024 at 02:44PM

The ‘Rafel RAT’ malware targets outdated Android devices to conduct ransomware attacks, with over 120 campaigns detected by researchers. It primarily affects devices running Android versions 11 and older, and it can target various brands and models. Threat actors use fake apps to spread Rafel RAT, which can execute commands including ransomware, file deletion, and device locking. Check Point advises caution in downloading APKs and clicking on links to prevent these attacks.

Based on the meeting notes, the main takeaways include:

1. An open-source Android malware named ‘Rafel RAT’ is widely deployed by multiple cybercriminals to attack outdated devices, with some aiming to lock them down with a ransomware module that demands payment on Telegram.

2. Researchers at Check Point report detecting over 120 campaigns using the Rafel RAT malware, conducted by known threat actors such as APT-C-35 (DoNot Team), and in some cases originating from Iran and Pakistan.

3. High-profile organizations, including those in government and the military sector, have been successfully targeted, with most victims being from the United States, China, and Indonesia.

4. The malware primarily targets devices running Android versions 11 and older, which have reached the end of life (EoL) and are no longer receiving security updates, making them vulnerable to known/published flaws. Only 12.5% of infected devices run Android 12 or 13.

5. Various brands and models of Android devices have been targeted, proving that Rafel RAT is an effective attack tool against a wide range of different Android implementations.

6. The malware is spread via various methods, with threat actors typically abusing known brands like Instagram, WhatsApp, e-commerce platforms, or antivirus apps to trick people into downloading malicious APKs.

7. The malware supports various commands, including ransomware, wiping files, locking the screen, leaking SMS and device location information to a command and control (C2) server. These actions are controlled from a central panel where threat actors can access device and status information and decide on their next attack steps.

8. The ransomware module in Rafel RAT is designed to execute extortion schemes by encrypting the victim’s files using a pre-defined AES key, taking control of the victim’s device, and changing the lock-screen password.

9. To defend against these attacks, individuals should avoid APK downloads from dubious sources, refrain from clicking on URLs embedded in emails or SMS, and scan apps with Play Protect before launching them.

These takeaways provide a comprehensive overview of the risks posed by the Rafel RAT malware and highlight the importance of proactive measures to mitigate these threats.

Full Article