Experts discover a new sophisticated malware dubbed xRAT tied to mRAT threat

Researchers at Lookout spotted a new mobile remote access Trojan dubbed xRAT tied to 2014 “Xsser / mRAT” surveillance campaign against Hong Kong protesters.

A new mobile remote access Trojan dubbed xRAT includes appears as the evolution of high-profile spyware Xsser / mRAT malware that was first spotted in late 2014 when it was used in a surveillance campaign against Hong Kong protesters.

“Lookout researchers have identified a mobile trojan called xRAT with extensive data collection functionality and the ability to remotely run a suicide function to avoid detection. The malware is associated with the high-profile Xsser / mRAT malware, which made headlines after targeting both iOS and Android devices of pro-democracy Hong Kong activists in late 2014.” reads the analysis published by Lookout.

xRAT has many similarities with mRAT, it has the same structure and uses the same decryption key. The analysis of the code revealed that both malware uses the same naming conventions that suggest both malicious codes were developed by the same threat actor.

According to researchers from security firm Lookout, the command and control (C&C) servers used for the xRAT malware is the same of a Windows malware,  a circumstance that suggests the threat actor is composed of experienced experts.

The xRAT mobile Trojan seems to be specifically developed to target political groups, it includes detection evasion and implements common spying features, including the ability to gather data from instant messaging applications such as WeChat and QQ.

“Like mRAT, xRAT supports an impressive set of capabilities that include flexible reconnaissance and information gathering, detection evasion, specific checks for antivirus, app and file deletion functionality, and other functionality listed below. It also searches for data belonging to popular communications apps like QQ and WeChat. The threat actors themselves are able to remotely control much of its functionality in real time (e.g., which files to retrieve and what the settings of its automatic file retrieval module should be). ” continues the analysis.

Below the complete list of features implemented by the xRAT mobile malware.

Browser history Device metadata (such as model, manufacturer, SIM number, and device ID) Text messages Contacts Call logs Data from QQ and WeChat Wifi access points a device has connected to and the associated passwords Email database and any email account username / passwords Device geolocation Installed apps, identifying both user and system applications SIM Card information Provide a remote attacker with a shell Download attacker specified files and save them to specified locations Delete attacker specified files or recursively delete specified directories Enable airplane mode

List all files and directories on external storage List the contents of attacker specified directories Automatically retrieve files that are of an attacker specified type that are between a minimum and maximum size Search external storage for a file with a specific MD5 hash and, if identified, retrieve it Upload attacker specified files to C2 infrastructure Make a call out to an attacker specified number Record audio and write it directly to an already established command and control network socket Executes attacker specified command as the root user Downloads a 22MB trojanized version of QQ from hiapk[.]com, saving it to /sdcard/.wx/wx.apk. Referred to as ‘rapid flow mode’.

To avoid detection, the xRAT implements a “suicide” function that could be triggered to clean the installation on the infected mobile device. The malicious code for specific antivirus applications and alert its operators in the case they are present:

管家 (housekeeper) 安全 (safety) 权限 (Authority) 卫士 (Guardian)

清理 (Cleanup) 杀毒 (Antivirus) Defender Securit

xRAT can be remotely instructed to perform a wide range of deletion operations, such as removing large portions of a device or attacker-specified files like images from certain directories on the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.

Most of the C&C infrastructure used by xRAT in the past were based in China, but sample recently analyzed by the company were located in the United States.

As anticipated, the C&C infrastructure also controlled a Windows malware, the experts also noticed a malicious executable named MyExam, this means that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”

“The majority of command and control servers used by xRAT in the past have been based in China with some appearing in Hong Kong. After analyzing recently acquired samples, we further identified attacker infrastructure on the East Coast of the United States. This may indicate an expansion in deployment from the actor behind this family as they’ve previously used servers geographically close to regions where their tooling is being deployed.” continues the analysis.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – password hashes, cracking)

[adrotate banner=”12″]