Summary:
Checkpoint has identified several threat actors including a cyber espionage group dubbed APT-C-35, aka DoNot Team, leveraging an Android open-source administration tool called Rafel in attacks to gain remote access and exfiltrate data of interest from victims’ devices. In total, Checkpoint has observed 120 different campaigns, some of which targeted high-profile victims, that span various countries including the United States, China, Indonesia, Russia, Pakistan, etc. Notably, the majority of victims targeted are Samsung users, with Xiaomi, Vivo, and Huawei compromising the second-largest group among the targeted victims. Checkpoint says the malware is being distributed in phishing campaigns impersonating several well known applications, including Instagram, WhatsApp as well as various e-commerce platforms and antivirus programs. These campaigns typically leverage deceptive tactics to manipulate user trust and exploit interactions with victims to grant Rafel full permissions on targeted devices.

Security Officer Comments:
For its part, Rafel comes with an administration panel that actors can use to monitor and control infected mobile devices. The trojan is capable of granting operators access to victims’ contacts, SMS messages, call logs, and much more, where this information is further exfiltrated to a C2 server over HTTP(S). Some of the commands supported by Rafel include the ability to change victims’ wallpaper, wipe call history, upload files from the C2 server, lock the device screen, as well as encrypt files of interest. The malware is designed to also scan the contents of incoming notifications, allowing actors to gather data from applications including 2FA codes sent through messaging platforms.

Suggested Corrections:
To defend against potential Rafel infections users should avoid clicking on sponsored ads that appear at the top of Google search results as threat actors can easily purchase these ads to promote sites hosting malicious applications. When downloading software/applications online, users should also ensure that it comes from a reputable source and not from third-party sites, as this can typically lead to malware infections. Software should also be scanned by anti-virus solutions for malicious executables prior to installation.

IOCs:
https://research.checkpoint.com/202...ware-from-espionage-to-ransomware-operations/

Link(s):
https://thehackernews.com/2024/06/iranian-hackers-deploy-rafel-rat-in.html