🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach.
Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.
Schedule a DemoCybersecurity threats are continually evolving and getting more complicated. Scammers have started utilizing open-source software and technology to support scams, developing and customizing them to target individuals across the nation. These financially motivated con artists focus on increasing their profit margins by not spending any money on launching a fraud campaign. Previously, in a similar campaign, scammers were seen exploiting SMSEye2, an open-source Android application that forwards SMS messages to a Telegram Bot from a particular mobile device.
During an investigation into an SMS stealer scam campaign, CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach. The malware is disguised as a legitimate app and is being distributed through social media and messaging apps. Once installed, the malware can steal sensitive information from the victim's device, such as contacts, messages, and banking credentials. The malware can also be used to take control of the victim's device and perform malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device.
It is essential to exercise vigilance and take preventative measures to safeguard our digital assets. In this blog, we will deep dive into the operation of the DogeRAT malware campaign and provide tips on how to protect yourself from this threat.
DogeRAT has been found to be advertised by the malware creator in two Telegram Channels. In the image given below, the author of the RAT has offered a premium version of DogeRAT which has the additional capabilities of taking screenshots, stealing images from the gallery, working as a keylogger, stealing clipboard information, and has a new file manager along with more persistence and smooth bot connections with the infected device.
Moreover, the author of DogeRAT has also created a GitHub repository where the RAT is hosted along with a video tutorial and the following list of features/capabilities offered by the RAT.
This Java-based android RAT uses a very simple server-side code written in NodeJs to interact with Telegram Bot and an infected device through a web socket. In this scenario, the Telegram Bot is working as the Command and Control panel for the threat actor who creates the setup and deploys the DogeRAT.
The malware author's extensive tutorial on GitHub shows that a Telegram Bot and a free open-source NodeJs application hosting platform are sufficient to launch a scam campaign using DogeRAT.
Upon its initial launch, the Trojan acquires multiple permissions, including and not limited to access to call logs, audio recording, and reading of SMS messages, media, photos, etc.
The malware consistently displays the URL of the targeted entity in a web view within the application to create the appearance of legitimacy. The URL can be changed based on the target by the threat actor operating the RAT.
As previously mentioned the Telegram Bot acts as a C2 panel for the RAT and upon further inspection of the HTTP traffic, we discovered that the malware is engaging in communication with server code that is manipulable via a Telegram Bot.
During the routine triaging, CloudSEK researchers stumbled upon a malicious package ID "willi.fiend". Further investigation led to the discovery of over thousand counterfeit applications designed to target Android apps in multiple sectors, including banking, gaming, and entertainment. This discovery led to the identification of the DogeRAT malware campaign.
This campaign serves as a stark reminder of the financial motivation driving scammers to continually evolve their tactics. They are not just limited to creating phishing websites, but also distributing modified RATs or repurposed malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns. Hence, it is important to be aware of the latest threats and to take steps to protect yourself. Here are a few tips:
On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.
WazirX, a leading Indian cryptocurrency exchange, faced a major security breach on July 18, 2024 resulting in significant financial losses of over $200 Million. Dive into our detailed analysis to uncover how the attack unfolded, potential culprits, and the broader implications for WazirX users.
This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
8
min read
CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach.
Cybersecurity threats are continually evolving and getting more complicated. Scammers have started utilizing open-source software and technology to support scams, developing and customizing them to target individuals across the nation. These financially motivated con artists focus on increasing their profit margins by not spending any money on launching a fraud campaign. Previously, in a similar campaign, scammers were seen exploiting SMSEye2, an open-source Android application that forwards SMS messages to a Telegram Bot from a particular mobile device.
During an investigation into an SMS stealer scam campaign, CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach. The malware is disguised as a legitimate app and is being distributed through social media and messaging apps. Once installed, the malware can steal sensitive information from the victim's device, such as contacts, messages, and banking credentials. The malware can also be used to take control of the victim's device and perform malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device.
It is essential to exercise vigilance and take preventative measures to safeguard our digital assets. In this blog, we will deep dive into the operation of the DogeRAT malware campaign and provide tips on how to protect yourself from this threat.
DogeRAT has been found to be advertised by the malware creator in two Telegram Channels. In the image given below, the author of the RAT has offered a premium version of DogeRAT which has the additional capabilities of taking screenshots, stealing images from the gallery, working as a keylogger, stealing clipboard information, and has a new file manager along with more persistence and smooth bot connections with the infected device.
Moreover, the author of DogeRAT has also created a GitHub repository where the RAT is hosted along with a video tutorial and the following list of features/capabilities offered by the RAT.
This Java-based android RAT uses a very simple server-side code written in NodeJs to interact with Telegram Bot and an infected device through a web socket. In this scenario, the Telegram Bot is working as the Command and Control panel for the threat actor who creates the setup and deploys the DogeRAT.
The malware author's extensive tutorial on GitHub shows that a Telegram Bot and a free open-source NodeJs application hosting platform are sufficient to launch a scam campaign using DogeRAT.
Upon its initial launch, the Trojan acquires multiple permissions, including and not limited to access to call logs, audio recording, and reading of SMS messages, media, photos, etc.
The malware consistently displays the URL of the targeted entity in a web view within the application to create the appearance of legitimacy. The URL can be changed based on the target by the threat actor operating the RAT.
As previously mentioned the Telegram Bot acts as a C2 panel for the RAT and upon further inspection of the HTTP traffic, we discovered that the malware is engaging in communication with server code that is manipulable via a Telegram Bot.
During the routine triaging, CloudSEK researchers stumbled upon a malicious package ID "willi.fiend". Further investigation led to the discovery of over thousand counterfeit applications designed to target Android apps in multiple sectors, including banking, gaming, and entertainment. This discovery led to the identification of the DogeRAT malware campaign.
This campaign serves as a stark reminder of the financial motivation driving scammers to continually evolve their tactics. They are not just limited to creating phishing websites, but also distributing modified RATs or repurposed malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns. Hence, it is important to be aware of the latest threats and to take steps to protect yourself. Here are a few tips: