By Following the Crypto, Cyfirma Identifies Developer Behind CraxsRAT – Source: securityboulevard.com

The person responsible for developing the dangerous CraxsRAT malware that targets Android devices has been operating in Syria for more than eight years and has accumulated at least $75,000 over the last three by selling it and the CypherRAT to other bad actors, according to cybersecurity firm Cyfirma.

Researchers with the Singapore-based company, which develops threat intelligence and attack surface management tools, wrote in a report they were able to collect a range of information about the remote access trojan (RAT) developer after having the cryptocurrency wallet the person was using to store the money frozen pending a verification investigation.

They followed a thread created by the developer on a crypto discussion forum that led to screenshots of a discussion between the developer and Freewallet, the wallet provider, and wrote that they were able to identify the individual’s real name and the usernames used on multiple platforms and social media as well as their IP and email addresses.

The researchers wrote that the person is a man who uses the online moniker “EVLF DEV” and “has been operating from Syria for over 8 years now, extensively working on CraxsRAT. CraxsRAT is one of the most dangerous RATs in the current Android threat landscape.”

EVLF DEV runs a malware-as-a-service (MaaS) operation, selling lifetime licenses for the CraxsRAT and CypherRAT software to more than 100 threat actors, some of whom have released cracked versions of the malware to other hackers for free.

“This exponentially shot up the reachability of these RATs, highly increasing the number of active users,” the researchers wrote.

CraxsRAT Lets Hackers See the Screen, Track Device

This isn’t good given the capabilities of the malware, particularly CraxsRAT. Despite some threat intelligence analysts’ reports of CraxsRAT being a downloader in an attack on a Windows-based operating system, the Cyfirma researchers wrote that CraxsRAT only targets Android devices.

The code is highly obfuscated through different types of builds and letting bad actors who are infecting devices choose the features in the malicious applications defending on the type of attack underway, increasing the threat posed by the malware, they wrote.

The capabilities include a quick install feature that generates an app that has limited permission, enabling it to bypass security features and detection. Once installed, the hacker can send requests to turn on the permissions. There also is a “Super Mod” features that makes it more difficult to uninstall the app by crashing the page if an uninstall is attempted.

“In order to gain access to the device’s screen and keystrokes, the app needs to enable its accessibility in settings,” the researchers wrote. “So, the builder allows the threat actor to edit the page which pops up right after the app’s installation is completed.”

The permissions allow the hacker to see the location and track the movement of the mobile devices, read contacts, access the device’s file storage, and read text messages and call logs. They also can see the device’s live screen.

Crypto Wallet was the Key

The Cyfirma researchers began tracking the CraxsRAT developer, noting that EVLF DEV has more than 10,000 subscribers on his Telegram channel. They learned that the person for at least three years was using a Freewallet crypto wallet to hold and withdraw what they earned by selling the malware.

The researchers requested Freewallet freeze the account until a know-your-customer (KYC) verification investigation was done. KYC is a policy used by financial institutions to prevent such crimes as money laundering and the financing of terrorists by through identity verification.

This is increasingly being done by crypto exchanges and other organizations tied to digital currency, which are widely used by ransomware groups and other malicious organizations to store and move the money gained through their criminal operations. In addition, countries like North Korea are known for using cyberattacks to fund their nuclear weapons programs.

Freezing EVLF DEV’s crypto wallet forced the developer to send verification details to Freewallet.

“To gain support from the black hat community, after Freewallet denied releasing the frozen crypto, a thread was created by EVLF on one of the crypto discussion forums, where evidence related to KYC submission was shared after masking PII,” the researchers wrote.

In addition, they found screenshots posted by EVLF DEV of a conversation with the wallet provider asking for a Skype meeting for the verification process.

Through the investigation, they were able to tease out details of EVLF DEV’s identity, the researchers wrote, reiterating the threat CraxsRAT poses to Android device users and the dangers of the MaaS model, which puts malware like the RATs into the hands of large numbers of hackers who only need to launch their own attacks.

“The RAT may be distributed to victims using campaigns such as phishing, third-party app stores, social engineering, in-app advertisements, drive-by downloads, and watering hole attacks,” they wrote.

Users need to be careful when downloading apps and avoid those with suspicious links or attachments. They also said users should get apps from official app stores, regularly update them, and use security software.