A group called Transparent Tribe, linked to Pakistan, has launched a cyber espionage campaign using a backdoor called CapraRAT.
The malware was distributed via fake websites that appeared to be the official distribution centres for two secure messaging and calling apps, which were branded as MeetsApp and MeetUp. Suspected victims of the attack include military and political figures from India and Pakistan.
It is believed that the targets were lured through a honeytrap romance scam. Users would be approached on another platform and then persuaded to download the apps, which were ostensibly for secure messaging and calling.
However, the apps came implanted with CapraRAT, a modified version of the AndroRAT open-source malware.
The backdoor allows extensive spying on victims, including recording phone calls and surrounding audio, taking screenshots and photos, and exfiltrating sensitive information.
It can also send SMS messages, make phone calls, and receive commands to download files. The campaign appears to be narrowly targeted and no evidence has been found that the apps were available on Google Play Store.
Transparent Tribe, which is also known as APT36, Operation C-Major, and Mythic Leopard, was linked last year to another set of attacks on Indian government organizations using a two-factor authentication solution called Kavach.
Weeks ago, cybersecurity firm ThreatMon revealed a spear-phishing campaign by SideCopy actors aimed at Indian government entities using a backdoor known as ReverseRAT.
