Self Assessment

G700 : The Next Generation of Craxs RAT

Published On : 2024-11-04
Share :
G700 : The Next Generation of Craxs RAT

EXECUTIVE SUMMARY

At CYFIRMA, we are dedicated to providing timely and relevant insights into emerging threats and tactics used by malicious actors to compromise both organizations and individuals. This report examines G700 RAT, an advanced variant of the Craxs RAT, which primarily target Android devices and cryptocurrency applications. G700 RAT uses sophisticated techniques such as privilege escalation, phishing, and malicious APK distribution to infiltrate devices, posing significant security risks. By bypassing authentication, capturing sensitive data, and manipulating legitimate app functions, it allows attackers to perform illicit actions undetected. The malware’s persistence and evasive tactics highlight an urgent need for enhanced protection and awareness to safeguard against this evolving threat.

INTRODUCTION

The G700 RAT is an evolved form of Craxs RAT, designed with advanced functionalities to exploit Android devices, especially within the cryptocurrency and financial environments. Developed in C# and Java, this malware targets mobile app security gaps to achieve unauthorized access and execute harmful actions while remaining undetected. It uses privilege escalation, screen capture, and phishing, to intercept sensitive information, bypass security authentications, and deploy ransomware. Currently distributed through underground networks, it poses a growing threat to device security, demanding awareness and comprehensive protection strategies.

KEY POINTS:

  • Advanced malware Structure: G700 RAT is a variant of Craxs RAT, developed in C# for desktop and Java for Android APKs, allowing it to bypass security measures and exploit cryptocurrency applications.
  • Privilege escalation and exploits: the malware bypasses security protections such as passcodes and fingerprint authentication, posing a risk to applications like Trust Wallet by exploiting authentication processes.
  • Silent SMS capture: G700 RAT intercepts SMS messages, including OTPs, through integration with the victim’s SMS app, redirecting them to a hacker-controlled Telegram bot without user notification.
  • Abuse of Android permissions: by obtaining extensive permissions, G700 RAT gains access to SMS, contacts, location, and device storage, enabling unauthorized access to sensitive information.
  • Phishing and credential theft: G700 RAT injects fake pages resembling banking, cryptocurrency, and e-commerce platforms, capturing user credentials when entered into these near-identical replicas.
  • Fake APK distribution: hackers can deploy counterfeit Google Play Store pages to trick users into downloading malicious APKs, granting the hacker remote control over the device.
  • Crypto transaction hijacking: the malware manipulates cryptocurrency transactions by injecting a fake Binance page, redirecting funds to the hacker’s wallet while deceiving the user.
  • Persistence and obfuscation techniques: using Base64 encoding and APK encryption to evade detection, maintaining persistence through foreground services and screen streaming functionalities.
  • Widespread distribution: G700 RAT is distributed via darkweb forums and Telegram channels, where the developer regularly updates its features, reflecting significant demand in cybercriminal networks.

ANALYSIS:

The G700 RAT is coded in C# and packed using DNGuard, while its APK version is written in Java. Based on the provided screenshot, it is evident that the G700 RAT is a variant of Craxs RAT. This indicates a close relationship between the malware families, with G700 RAT part of a lineage of similarly designed malicious tools.

The snippet below highlights the full range of features that G700 RAT can perform.

Privilege Escalation:

The developer claims that G700-RAT can bypass critical security measures, such as passcodes and fingerprint authentication, of the Trust Wallet crypto application, posing significant risks to users.

The developer’s code snippet below is designed to remotely manipulate or exploit the security of the Trust Wallet app. When a label is clicked in a Windows Forms application, this method sends a message to a connected client (classClient) to interact with the Trust Wallet app, potentially bypassing its security protections.

Input Capture

In the latest version of G-700 RAT, the developer has added a Hide SMS functionality. This feature allows the payload to integrate with the default SMS app on the victim’s phone, preventing SMS notifications from appearing. This enables the hacker to silently capture SMS one-time passwords (OTP) without notifying the victim, posing a severe risk to Android users’ security.

Additionally, in a demonstration video, every new SMS is shown to be redirected to the hacker’s Telegram bot, allowing the hacker to monitor and exploit sensitive information in real time without the victim’s knowledge.

 

Abuse Elevation Control Mechanism

Based on the screenshot; after sending a command, the victim’s phone is completely covered by an image resembling a software update notification, designed to trick the victim into believing their phone is undergoing a legitimate update. This manipulation blocks the touch screen, rendering the phone untouchable and unusable by the victim. During this period, the hacker can perform illegal activities in the background without the victim’s awareness or interference. This tactic is highly dangerous, as it distracts the victim while the hacker executes malicious actions remotely.

Malicious APK Distribution

The developer claims that G700 RAT can create a fake Google Play Store page. When the hacker pastes the URL hxxps[:]//is[.]gd/tHUtjx” into the victim’s phone browser, they are redirected to a counterfeit Google Play store page created by the hacker. On this fraudulent page, the hacker can deceive the victim into installing a clone APK application on their phone. This malicious APK appears legitimate but covertly grants the hacker complete control over the victim’s device, enabling them to perform illicit activities without the victim’s awareness

In the latest version of the G700 RAT malware, the hacker has introduced an updated variant of the Ransomware Locker that now includes customizable features.

Credential Access: Phishing

The phishing pages stored in the res//inject folder are designed to be injected into banking, cryptocurrency, credit card, email, and shopping applications. These phishing pages mimic legitimate sites and are used by banking botnets to manipulate victims into entering their sensitive information, such as login credentials or financial details.

This method, often seen in sophisticated banking malware, replaces the actual web pages of banks, crypto platforms, and other services with near-perfect replicas. When victims attempt to log in or complete transactions, their credentials are captured by the hackers instead of being sent to the real service

Key points of this tactic:

  1. Page injection: hackers use the inject feature to display a phishing page that looks identical to the real one.
  2. Credential theft: victims unknowingly enter sensitive details on the fake pages, leading to credential theft.
  3. Targeted services: the phishing pages are customized for financial services, cryptocurrency platforms, credit cards, email services, and e-commerce sites.

Banking botnet usage: this feature is commonly found in banking botnets, designed to intercept and steal data from users in real-time, often bypassing traditional security measures

APK analysis

Privilege Escalation or Permission granted to the hacker.

The listed Android permissions provide extensive access to SMS, contacts, location, camera, audio, and storage, commonly seen in malicious apps like banking malware or spyware. These permissions allow the app to send/read SMS, access contacts and call logs, track location, take photos, record audio, and manipulate files. They can also enable the app to make unauthorized calls, disable device security, and start on boot. Such access could be exploited to steal sensitive information or control the device.

Crypto Address Hijacking, or Deceptive Cryptocurrency Transactions

The Binanceinj() function is used to display a fake Binance transaction page to the user, while secretly replacing the original wallet address with the hacker’s wallet address in the background. where the victim believes they are conducting a legitimate transaction, but the funds are redirected to the attacker’s wallet. The manipulated transaction is made to look genuine, deceiving the victim into transferring cryptocurrency to the hacker without realizing it.

Obfuscation

The Base64-encoded string, when decoded, reveals an HTML script for a fake Binance transaction page. hackers use this to obfuscate phishing content and evade detection by security tools. Once decoded, the script is injected into a legitimate page, tricking users into entering sensitive information or enabling crypto address hijacking

Persistence: Screen Capture

This code is part of an Android service that sets up a foreground notification and initializes components for screen streaming to a Windows application. It creates a notification for the service, ensuring it’s always visible to the user, and initializes a MediaProjectionManager to capture the screen. Additionally, it sets up a HandlerThread to manage background tasks related to the screen streaming process. The use of foreground service is essential for keeping the streaming active and notifying users about the ongoing operation.

Dropper Analysis:

Persistence: User Execution

The code snippet is part of a dropper APK that requests WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions to facilitate the installation of a hidden APK. Upon clicking the button (upbtn), it invokes permission checks to determine if the necessary permissions are granted.

The checkPermissions method evaluates the availability of the required permissions, while requestPermissions prompts the user for these permissions. In the onRequestPermissionsResult method, if permissions are granted, it invokes SessionManager.install() to initiate the installation process.

This implementation illustrates a mechanism for acquiring storage permissions to enable APK installation, raising significant security concerns regarding the potential deployment of malicious software on the device.

Persistence: Install Malware

The provided code functions as a dropper, designed to install “childapp.apk” from the assets folder, often linked to malware deployment. It uses a worker thread to manage background tasks without disrupting the main UI and registers a broadcast receiver to track installation events. By utilizing Android’s PackageInstaller, the code creates an installation session, opens the APK, writes its data, and commits the installation through a PendingIntent.

A significant concern is that this process can bypass accessibility restrictions, which are typically disabled for unknown APKs. Once the payload is dropped and installed, it can enable accessibility features, posing serious risks to Android users. This increases the potential for unauthorized device access and control. Overall, this method threatens user security, highlighting the need for enhanced monitoring and user awareness regarding unknown applications

APK Injection

Automated Smali Code Injection for App Hijacking

The software is a malicious tool designed to inject harmful Smali code into legitimate applications, such as gaming, modded, and financial apps. By creating seemingly authentic versions of these applications, hackers can deceive users into installing them, thereby gaining unauthorized access to their devices. Once executed, the malicious code often prompts users to grant accessibility services, which can lead to severe privacy violations and identity theft. The automation of this injection process enables even those with limited technical knowledge to deploy such attacks, significantly increasing the threat to user security.

APK Encryption

This screenshot, taken from the G700 unpacked code, shows strings encoded in base64. After decoding one of the strings, we found ‘APKEditor’, which revealed the file path [res\libs\APKEditor.jar], indicating the presence of the APKEditor.jar file.

After conducting further research on this file, we discovered the same file on GitHub. This file is designed for strong encryption of APK files, and the developer is utilizing this encryptor to encrypt the G-700 RAT payload. This approach aims to prevent reverse engineering of the APK and to enhance evasion tactics against antivirus detection.

ETLM ATTRIBUTION

A cracked version of G700 RAT v5 is freely available in a Telegram group called “The Hacker Error,” which is associated with blackhat hackers and has over 7,000 subscribers. The group, created on June 10, 2022, is known for distributing and selling malware. It is linked to another group, “Blackhat Hacker Tools,” which has around 5,000 subscribers however both groups are now inaccessible. The owner of “The Hacker Error” goes by a username that CYFIRMA research has attributed to a well-known Hindi slogan, which suggests an Indian origin. Additionally, discussions in another malware-related group confirm that user is indeed Indian.

Upon clicking the support section of the G700 RAT, we discovered a Telegram user who appears to be the developer behind this malware.

The Telegram channel was created on May 26th, 2023, and currently has 3,469 subscribers and also operates another Telegram group specifically for G700 RAT, which was created on April 7th 2024,” and has 1,156 subscribers. The admin is involved in selling various malware, including Craxs RAT, Spylogger, G700 RAT, and Eagle Crypter. Recently, they announced the sale of the latest version, G700 RAT v6.4, with a lifetime license for $2,000 in another connected group. Updates about the RAT were also posted on an assosicated website,’ but the site is currently inaccessible, with the homepage temporarily closed.

In one of the demonstration videos posted by the hacker, certain details suggest that the hacker might either be Indian, using a device from India, or utilizing an Indian VPN. These indicators raise questions about the hacker’s true location and identity, potentially pointing to a connection with India or an attempt to obscure their actual location.

 

The developer is working on bug improvements, building new features for G700 RAT as he also posted recently with new features

The developer’s Twitter account, created in August 2024, shows no activity, with 0 posts, 0 followers, and no accounts being followed.

The developer also has a Giter account, where the code for most of their projects is kept private. However, they have made an Android builder and Craxs RAT available in a public repository.

Developers Tiktok account where he has described himself as a Malware Builder.

In Dark Web forums, some users are selling the G700 RAT, while others are making it freely available. This mixed distribution highlights the significant demand for G700 RAT, as both commercial and free versions are circulating among cybercriminals.

Diamond Model :

CONCLUSION:

G700 RAT represents a significant advancement in remote access tools, exploiting both technical vulnerabilities and social engineering tactics to compromise Android devices. Its ability to bypass security measures and intercept sensitive data such as SMS OTPs positions it as a serious threat, especially to cryptocurrency users. Distributed widely through Blackhat forums and Telegram channels, G700 RAT’s availability and continued updates indicate increasing demand among cybercriminals. To counteract these threats, individuals and organizations need to adopt robust security controls, utilize threat intelligence for early detection, and enhance user awareness about phishing and suspicious app downloads.

LIST OF IOCS

Sr. No. Indicator Type Remarks
1 65ad213f9c6403308cbc805ebe122e08c52c8d21d1b4f8efd0f406e2d448bdef SHA256 G700
2 dcdf640e0eef93ff9708e73c461d98f30433770edd2a92f603c8e66f23cf77c1 SHA256 APK file
3 313804ea8fda918ff8a909f2367e903b030c3aa305e320d20a865fd6b19d062b SHA256 Dropper

MITRE ATT&CK TTP’s

Sr. No. Tactic Technique
1 Initial Access T1566: Phishing
2 Persistence T1108: Foreground Application
T1513: Screen Capture
T1496: Resource Hijacking
TA0011: Command and Control
T1548: Abuse Elevation Control Mechanism
T1406: Malicious Application
T1548.002: Request for Elevated Permissions
T1204: User Execution
T1171: Exploitation of Trusted Relationships
T1408: Install Malware
T1548.003: Bypass User Account Control
3 Privilege Escalation T1430: Location Tracking
T1513: Screen Capture
T1068: Exploitation for Privilege Escalation
T1071: Application Layer Protocol
T1056: Access to Sensitive Information
TA0010: Data Exfiltration
T1219: Remote Access Tools
T1548: Abuse Elevation Control Mechanism
4 Credential Access T1417: Input Capture
T1056.001: Input Capture – SMS
TA0010: Data Exfiltration
T1566: Phishing
T1003: Credential Dumping
T1071.001: Web Service Exploitation
T1204: User Execution
T1027: Obfuscated Files or Information
T1056.001: Input Capture – Web Form
T1171: Exploitation of Trusted Relationships
5 Discovery T1418: Software Discovery
T1421: System Network Connections Discovery
T1422: System Network Configuration Discovery
6 Collection T1426: System Information Discovery
T1430: Location Tracking
T1417: Input Capture
T1429: Audio Capture
7 Command and Control T1071: Application Layer Protocol
T1095: Non-Application Layer Protocol
T1573: Encrypted Channel

 

RECOMMENDATIONS

Strategic Recommendations:

  • Implement Comprehensive Security Awareness Programs: Educate employees and users on malware risks, especially around downloading apps from unverified sources and recognizing phishing attempts.
  • Invest in Advanced Threat Intelligence: Use external threat intelligence platforms to proactively monitor threats, including emerging malware variants and underground distribution channels.
  • Strengthen Partnerships with Law Enforcement: Collaborate with cybersecurity agencies to share intelligence on malware like G700 RAT, supporting in the disruption of its distribution channels across the dark web and messaging platforms.

Tactical Recommendations:

  • Enhance Application Security: Implement multi-layered authentication, such as biometric and multi-factor authentication (MFA), in financial and sensitive apps to prevent bypass attempts by malware.
  • Deploy Mobile Threat Defense Solutions (MTD): Utilize MTD solutions on corporate and user devices to detect, block, and remove malware, especially RATs and other threats that exploit Android app permissions.
  • Improve Phishing Detection and Response: Deploy machine-learning-based detection tools to identify and block phishing attempts, particularly those targeting banking and cryptocurrency credentials.

Operational Recommendations:

  • Conduct Routine Security Audits: Regularly audit and test mobile applications and device policies to detect vulnerabilities exploitable by RATs.
  • Implement Behavioral Monitoring: Continuously monitor for abnormal device behaviors, such as unauthorized APK installations, SMS redirection, and screen streaming, to detect RAT presence early.
  • Restrict Unauthorized App Installations: Enforce strict policies on installing apps from unknown sources to minimize exposure to malware-laden APKs and increase awareness of downloading only from trusted sources.