CraxsRAT is a highly invasive Remote Access Trojan built to infect unsuspecting Android users. It is spread mainly via SMS phishing which tricks users into installing the RAT. Once the APK file is installed on the victim’s phone, the malware can siphon off personal details of users which the threat actors can use to commit identity fraud, bank fraud and spy on the victims.

Initial Overview:

CraxsRAT or CypherRAT was originally developed by a threat actor going by the name of EvLF DEV. It seems to be forked from another Android malware family called SpyNote/SpyMax.

Several cracked versions of the RAT are available to download from the clear web with videos on how to use the RAT on popular social media websites like YouTube, Instagram and Tik-Tok. Some of the cracked samples are also backdoor-ed by threat actors as reported by Cyfirma in their report.

Cyfirma also reported that EvLF DEV has sold the project to an unknown threat actor and no longer maintains it.

Technical Overview of CraxsRAT Builder

It’s not hard to find a cracked version of the RAT after the source code leak. I downloaded the files from a Telegram channel called WantHacks.

It was mentioned in the channel that the RAT would only work locally but we can still analyze the builder and malicious APK files it produces. We can unpack the archive file with the password mentioned in the group.

The "res" folder hosts all the icons that can be used to masquerade the CraxsRAT APK.

Opening "CraxsRat.exe" in CFF explorer, we see that the builder is written in .NET. We also see the threat actor "EvLF Dev" name along with a Telegram link that no longer works. This builder also seems to be an older version of the RAT as opposed to V7 that was mentioned in the Telegram group.

The .NET file is also heavily obfuscated. I used dnSpy to quickly glance over the code. I did find some interesting strings in the resource section. We can see what permissions the malicious APK file would be using. There are also some tools being referenced that look interesting, namely: APKEditor and apktool. These tools can be used to corrupt the AndroidManifest.xml making it harder to analyze the file. We also see a reference to "CypherMini" thus confirming that CraxsRAT and CypherRAT are related if not the same.

After the initial analyses, I decided to run the builder in my FlareVM instance. We login with the credentials supplied by the Telegram channel and are greeted with dashboard

We see the Android builder on the left side along with the Dropper. The dropper functionality was added in recent updates of the malware and can be used to download further stages of the malware campaign.

Let’s have a look at the builder first. The builder allows the configuration of the RAT in many ways. The IP of the C2 server along with the port can be specified here. Changes can also be made App name, Package name along with the selection of a plethora of icons that will trick the victim into thinking that they are installing a legitimate Android application.

Moving over to the Options tab, we can see that the malware can be further customized based on the size and what the app does after installation.

In the Tools section of the builder, the Threat Actor can select the functionality of the RAT. There's also an option to Bind the APK file with another legitimate file. It also asks the users for Accessibility permissions which can be used to make clicks on the victim’s behalf or can be used to record the pass code of the infected phone.

The Login tab shows how the app would appear to the victim. This can be customized as well.

Monitoring Tab allows threat actors to monitor the certain applications installed on the users phone. By default, CraxsRAT monitors popular social media websites along with Google Drive. Threat Actors can further specify apps that they want to monitor, most likely Banking apps and websites.

Finally, when the threat actor has configured the RAT to their liking, they can build the trojanized apk and specify what permissions would be requested.

A few interesting things to note here are that the APK protects itself by heavily obfuscating the code, corrupting the AndroidManifest and can be signed with a fake certificate.

Threat Actors can also use the dropper functionality of CraxsRAT to evade anti-virus software, making the first stage "clean". The malware author also explains what a "drooper" is which I think is hilarious.

Static Analysis of the Trojanized APK

The apk is dropped in a folder named "CraxsRat_Bilder" in the "C:" drive. Opening the apk in Jadx , we first try to checkout the AndroidManifest.xml. As expected, we get an error when we try to view the manifest.

CraxsRAT employs heavy obfuscation as one of it's anti-analysis techniques. Most of the class names , variables & functions are obfuscated so I decided to rename them based on their functionality.

CraxsRAT also employs Anti-Emulator techniques to deter runtime analysis. At a first glance, the function isEmu_DIV_ID_lator() looks daunting with the presence of large strings that make no sense. These strings are passed in a pair to a function which I renamed to "StringDeobfuscator_Method()". The two strings being passed as arguments also look identical.

The StringDeobfuscator_Method() function just returns the first string after removing the second string from it. The actual information is actually stored in the first string and the second string is a junk string.

After removing the junk string from the code, the function becomes more readable. We can see all the details CraxsRAT queries to check if its running in an emulator.

CraxsRAT also uses base64 to encode/decode data. The IP address and port that we mentioned in the builder are stored as base64 strings. CLINAME is the client name which we gave has "RR_Client" in the builder. ClientHost is the C2 IP which we provided as 127.0.0.1 & ClientPort is 7771. "VHhUeFQ=" decodes to "TxTxT" which is the Connection Key and can be seen in the dashboard.

To protect its files, CraxsRAT uses AES encryption to store its data. The data is further base64 encoded/decoded. The Secret key was obfuscated using the same string obfuscation we saw before and was easily de-obfuscated.

Let's look at some of the invasive functionality of this RAT. It has the ability to record audio from the microphone of the phone which can be used to spy on the user. These recordings are stored at "/Config/sys/apps/rc/" as ".wav" files.

CraxsRAT can also spy on the users location using location manager. It first checks if there is network or GPS on the phone and then proceeds to capture the longitude, latitude and current speed. It also tracks if the user location has changed since it last captured it.

CraxsRAT also use web injection attack to extract user password through WebView. It sets up a custom WebView with Javascript enabled

Since, in our builder , we didn't configure a phishing website to steal user data, I decided to check out if some other CraxsRAT samples might have them. Luckily, Malware Bazaar had a sample with this functionality enabled. It sets up a User agent if hxxps[:]//a1-0-1[.]com-tr-index[.]site hosts a phishing copy of google.com or youtube.com. The user is tricked into entering their password which is captured by the RAT and then exfiltrated.

CraxsRAT can also exfiltrate photos, call records, send SMS and perform screen recording function without the users consent which makes it highly invasive in nature.

Conclusion

CraxsRAT is a highly sophisticated RAT and seems to be very popular amongst Threat Actors. After the source code leaked, a lot of Anti-Virus companies reported a spike in CraxsRAT and SpyNote infections. The author of CraxsRAT has made it easier for script kiddies by selling it as "Malware-as-a-Service". With helpful tips present in the builder, I won’t be surprised if Script Kiddies are launching their malware campaig. A lot of builder samples out there seem to have been backdoored by threat actors already, making the builder itself a Trojan.

We need to raise awareness of amongst our families and friends to save them from falling prey to such Trojanized APK's. As a general rule of thumb, you should avoid installing applications from unknown sources. This can lead to a huge compromise on your privacy and security.

The builder file was uploaded on VirusTotal a couple of weeks ago. Here's the link if anyone is interested in checking it out.