Ratel RAT targets outdated Android phones in ransomware attacks

An open-source Android malware named “Ratel RAT” is widely deployed by many cybercriminals to attack outdated devices, with some aiming to lock them with a ransomware module that demands payment on Telegram.

Researchers Antonis Terefos and Bohdan Melnykov of Check Point report detecting more than 120 campaigns using Rafel RAT malware.

Known threat actors are leading some of these campaigns, such as APT-C-35 (DoNot Team), while in other cases Iran and Pakistan have been identified as being behind the malicious activity .

As for targets, Check Point mentions successful targeting of high-profile organizations, particularly in the government and military sector, with most victims coming from the United States, China and Indonesia.

In most of the infections examined by Check Point, victims were using a version of Android that had reached end of life (EoL) and was no longer receiving security updates, making it vulnerable to known/published vulnerabilities.

These are Android versions 11 and earlier, which accounted for more than 87.5% of the total. Only 12.5% ​​of infected devices run Android 12 or 13.

When it comes to targeted brands and models, there’s a mix of everything, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and OnePlus, Vivo, and Huawei devices. This proves that Ratel RAT is an effective attack tool against a wide range of different Android implementations.

Ratel RAT attacks

Ratel RAT spreads through various means, but malicious actors usually abuse well-known brands like Instagram, WhatsApp, e-commerce platforms or antivirus apps to trick people into downloading malicious APKs.

During installation, it requests access to risky permissions, including exemption from battery optimization, to be able to run in the background.

The commands it supports vary by variant but generally include the following:

The most important of these, based on their potential impact, are:

• Ransomware: Starts the file encryption process on the device.
• to wipe: Deletes all files under the specified path.
• Lock screen: Locks the device screen, rendering it unusable.
• sms_oku: Leaks all SMS (and 2FA codes) to the command and control (C2) server.
• location_tracker: Discloses live device location to C2 server.

Actions are controlled from a central panel where malicious actors can access information about devices and their status and decide the next steps of their attack.

According to Check Point’s analysis, in approximately 10% of cases the ransomware command was issued.

Ransomware attacks

Rafel RAT ransomware module is designed to execute extortion schemes by taking control of the victim’s device and encrypting their files using a predefined AES key.

If DeviceAdmin privileges have been gained on the device, the ransomware takes control of crucial device functions, such as the ability to change the lock screen password and add a custom message to the device. screen, often the ransom demand.

If the user attempts to revoke administrator privileges, the ransomware may respond by changing the password and immediately locking the screen.

Check Point researchers observed several ransomware operations involving Rafel RAT, including an Iranian attack that performed reconnaissance using Ratel RAT’s other capabilities before executing the encryption module.

The attacker cleared the call history, changed the wallpaper to display a personalized message, locked the screen, turned on device vibration, and sent a text message containing the ransom note, which prompted the victim to send him a message on Telegram to “solve this problem”.

To defend against these attacks, avoid downloading APKs from questionable sources, don’t click on URLs embedded in emails or SMS messages, and scan apps with Play Protect before launching them.