OmniRat RAT is currently being used by criminals in the wild

Researchers at Avast have published an analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used by criminals in the wild.

Researchers at Avast have conducted a brief analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used for malicious purposes.

The malware researchers at Avast have published an interesting analysis of the multi-platform remote administration tool OmniRAT. The OmniRAT remote administration tool works on Android, Windows, Linux and Mac OS X OSs.

It is very popular and cheap, the OmniRAT lifetime license for servers and clients are offered for sale for $25 and $50, and operators also offer lifetime support.

Despite OmniRAT is not designed for illicit purposes, the experts at Avast have observed it being used my many crooks as a remote access Trojan.

The attackers use to spread the RAT via social engineering, a German user explained that his Android was infected via SMS containing a shortened URL link pointing to a website where the victim was instructed to enter a code and their phone number. The SMS was claiming that the victim had received an MMS that cannot be sent him because its mobile phone was affected by the Android StageFright vulnerability

When victims provide the information requested the website serve an APK reporting the icon labeled “MMS Retrieve” when installed. Then it is sufficient to click on the icon to start the installation of the OmniRAT.

“A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.” is reported in the blog post  published by Avast.

The malware analyst Nikolaos Chrysaidos from Avast explained that once criminals have infected the mobile device could access its contact list in order to spread OmniRat.

“The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server,” Chrysaidos said. “Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”

OmniRat is quite to another RAT, DroidJack, that was used by several organizations in the criminal underground for illegal activities. OmniRat is cheaper that DroidJack which is offered for sale a nearly $210.

Pierluigi Paganini

(Security Affairs – OmniRat,  cybercrime)