Not just Pegasus, India needs to watch out for CapraRAT too

A malware that has been active on the internet since 2017 has recently been linked by two private cybersecurity agencies to a hacker group backed by Pakistan. The malware is specifically aimed at Indian government agencies, the agencies reported.

The first research finding on the malware named CapraRAT, was conducted by Trend Micro, an American - Japanese multinational cybersecurity firm, the results of which were made public on January 24 this year.

The ‘RAT’ stands for Remote Access Trojan, a common form of malware. The word ‘malware’ literally means a software with malicious intentions, while a Trojan means a malware that makes its entry into a device through hidden means, much like the famed Trojan Horse. The RAT grants remote access of the hacked device.

According to Trend Micro’s research, CapraRAT is being operated by a hacker group known as Earth Karkaddan. Over the years, multiple cybersecurity agencies, both civilian and government, have confirmed that Earth Karkaddan is backed by Pakistan and targets Indian government and military organisations.

“The malicious lure and deceive victims into downloading fraudulent government documents, honeytraps showing profiles of attractive women and more recently, coronavirus-themed information,” the report states.

Due to the fraudulent email address in the name of Indian government offices that the phishing email is sent from, a large number of targets are likely to end up opening the email and downloading the attachment. Once the attachment is downloaded, an app is installed on the device, which seeks several permissions from the user. Once these permissions are granted, CapraRAT is capable of executing a host of tasks on the device.

This includes accessing essential services of the device, including camera, microphone, location, phone call history and contacts. In simpler terms, this means that CapraRAT can take pictures using the hacked device, record audio and check the target’s real time location, and relay all of it to its operators in Pakistan.

“The RAT also has a persistence mechanism that always keeps the app active,” Trend Micro’s report states.

A deep dive analysis was subsequently conducted into CapraRAT by Cyble, a cybersecurity agency headquartered in the United States of America, with offices in India. Cyble confirmed that CapraRAT was being operated by Earth Karkaddan.

“In the past, the Earth Karkaddan group has launched a fake version of the Aarogya Setu Application for malicious purposes. Aarogya Setu is an application developed by the Indian Government to track Covid-19 cases. Our analysis indicates that upon successful execution, this malicious application can steal sensitive data such as contacts, call logs, SMSs, location, take screenshots, record calls, and microphone audio, send SMSs, etc., from the victims’ devices,” Cyble’s research report stated.

“Given the sensitive nature of the data being accessed and the APT group suspected to be behind it, capraRAT could have severe national security implications for the Indian Diplomatic and Defense infrastructure,” Cyble’s report states.

(This was first published in National Herald on Sunday)