Overview of the Campaign

Cybersecurity threats are continually evolving and getting more complicated. Scammers have started utilizing open-source software and technology to support scams, developing and customizing them to target individuals across the nation. These financially motivated con artists focus on increasing their profit margins by not spending any money on launching a fraud campaign. Previously, in a similar campaign, scammers were seen exploiting SMSEye2, an open-source Android application that forwards SMS messages to a Telegram Bot from a particular mobile device. 

‍

During an investigation into an SMS stealer scam campaign, CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach. The malware is disguised as a legitimate app and is being distributed through social media and messaging apps. Once installed, the malware can steal sensitive information from the victim's device, such as contacts, messages, and banking credentials. The malware can also be used to take control of the victim's device and perform malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device.

‍

It is essential to exercise vigilance and take preventative measures to safeguard our digital assets. In this blog, we will deep dive into the operation of the DogeRAT malware campaign and provide tips on how to protect yourself from this threat.

‍

Attribution

DogeRAT has been found to be advertised by the malware creator in two Telegram Channels. In the image given below, the author of the RAT has offered a premium version of DogeRAT which has the additional capabilities of taking screenshots, stealing images from the gallery, working as a keylogger, stealing clipboard information, and has a new file manager along with more persistence and smooth bot connections with the infected device.

‍

Moreover, the author of DogeRAT has also created a GitHub repository where the RAT is hosted along with a video tutorial and the following list of features/capabilities offered by the RAT.

Technical Analysis

Set Up for DogeRAT

This Java-based android RAT uses a very simple server-side code written in NodeJs to interact with Telegram Bot and an infected device through a web socket. In this scenario, the Telegram Bot is working as the Command and Control panel for the threat actor who creates the setup and deploys the DogeRAT.

‍

‍

The malware author's extensive tutorial on GitHub shows that a Telegram Bot and a free open-source NodeJs application hosting platform are sufficient to launch a scam campaign using DogeRAT.

‍

Permissions Required by the Trojan

Upon its initial launch, the Trojan acquires multiple permissions, including and not limited to access to call logs, audio recording, and reading of SMS messages, media, photos, etc.

‍

Invoking the Web View

The malware consistently displays the URL of the targeted entity in a web view within the application to create the appearance of legitimacy. The URL can be changed based on the target by the threat actor operating the RAT.

‍

‍

‍

Communication with the C2 Server 

As previously mentioned the Telegram Bot acts as a C2 panel for the RAT and upon further inspection of the HTTP traffic, we discovered that the malware is engaging in communication with server code that is manipulable via a Telegram Bot.

‍

‍

Uncovering the Campaign

During the routine triaging, CloudSEK researchers stumbled upon a malicious package ID "willi.fiend". Further investigation led to the discovery of over thousand counterfeit applications designed to target Android apps in multiple sectors, including banking, gaming, and entertainment. This discovery led to the identification of the DogeRAT malware campaign. 

Conclusion

This campaign serves as a stark reminder of the financial motivation driving scammers to continually evolve their tactics. They are not just limited to creating phishing websites, but also distributing modified RATs or repurposed malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns. Hence, it is important to be aware of the latest threats and to take steps to protect yourself. Here are a few tips:

• Be careful about what links you click on and what attachments you open - If you receive a link or attachment from someone you don't know, don't click on it or open it.
• Keep your software up to date - Software updates often include security patches that can help protect your device from malware.
• Use a security solution - A good security solution can help protect your device from malware and other threats.‍
• Be aware of the signs of a scam - Scammers often use techniques such as urgency, fear, and greed to trick victims. If you are ever unsure about a message or offer, it is best to err on the side of caution and not click on any links or open any attachments.‍
• Educate yourself about malware - The more you know about malware, the better equipped you will be to spot it and protect yourself from it. There are many resources available online that can help you learn more about malware.

Indicators of Compromise (IoCs)

‍

‍