CloudSEK Uncovers DogeRAT Malware Campaign Impersonating BFSI, Entertainment & E-commerce Apps


CloudSEK Uncovers DogeRAT Malware Campaign Impersonating BFSI, Entertainment & E-commerce Apps
CloudSEK researchers identified a sophisticated malware campaign known as DogeRAT (Remote Access Trojan). The campaign is being carried out through the distribution of fake Android apps that are designed to look like legitimate apps. DogeRAT utilizes open-source Android malware to steal sensitive information and compromise the security of victims' devices. CloudSEK's in-depth investigation into the campaign revealed the alarming extent of its impact on various industries, particularly banking, financial services and insurance (BFSI), e-commerce, and entertainment.
DogeRAT is distributed under the guise of legitimate applications through social media and messaging platforms. Once installed on a victim's device, the malware gains unauthorized access to sensitive data, including contacts, messages, and banking credentials. It can also take control of the infected device, enabling malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even remotely capturing photos through the device's cameras.
To make matters worse, CloudSEK's analysts have discovered that DogeRAT is advertised by its creator through Telegram Channels, offering a premium version with additional capabilities such as taking screenshots, stealing images, acting as a keylogger, and more. The premium services are being sold at as cheap as INR 2,500 (~USD 30). The malware's author has also created a GitHub repository that hosts the RAT, complete with a video tutorial and a comprehensive list of features and capabilities. (For More Information Read Full Report)
What Is DogeRAT & How It Works:
  • DogeRAT is an open-source Android Remote Access Trojan (RAT), distributed disguised as a legitimate mobile application such as a game, productivity tool, or entertainment app like Netflix, YouTube, etc., through social media and messaging platforms.
  • Once installed on a victim's device, the malware gains unauthorized access and starts collecting sensitive information, including contacts, messages, and banking credentials.
  • The malware can also take control of the compromised device, allowing threat actors to perform various malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even capturing photos through the device's cameras. 
  • DogeRAT communicates with a Command and Control (C2) panel through a Telegram Bot, which serves as the interface for the threat actors to control and manage the infected devices.
  • The RAT uses a Java-based server-side code written in NodeJs to establish communication between the malware and the Telegram Bot.
  • The malware author advertises DogeRAT through Telegram Channels, offering a premium version with additional capabilities like taking screenshots, stealing images, functioning as a keylogger, and having enhanced persistence and smoother connections with the infected devices.
  • The malware employs a web view within the application to display the URL of the targeted entity, creating a sense of legitimacy.
  • DogeRAT requires various permissions upon installation, including access to call logs, audio recording, and reading SMS messages, media, and photos.
  • The RAT leverages a combination of open-source technologies, including Telegram Bot and a free NodeJs application hosting platform, making it easily accessible for threat actors to launch scam campaigns.
“This campaign is a stark reminder of the financial motivation driving scammers to continually evolve their tactics. They are not just limited to creating phishing websites, but also distributing modified RATs or repurposing malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns. We have found that threat actors are creating fake baking, e-commerce and entertainment apps to dupe people,” said Anshuman Das, threat intelligence researcher, CloudSEK.
To protect yourself from this threat, CloudSEK recommends the following tips:
  • Be careful about what links you click on and what attachments you open. If you receive a link or attachment from someone you don't know, don't click on it or open it.
  • Keep your software up to date. Software updates often include security patches that can help protect your device from malware.
  • Use a security solution. A good security solution can help protect your device from malware and other threats.
  • Be aware of the signs of a scam. Scammers often use techniques such as urgency, fear, and greed to trick victims. If you are ever unsure about a message or offer, it is best to err on the side of caution and not click on any links or open any attachments.
  • Educate yourself about malware. The more you know about malware, the better equipped you will be to spot it and protect yourself from it. There are many resources available online that can help you learn more about malware.
Source: Press Release