News

A cybersecurity report revealed that a Syrian threat actor, known as EVLF, is responsible for developing malware families CypherRAT and CraxsRAT. These remote access trojans (RATs) give attackers control over the victim’s device camera, microphone, and location in real time. The malware is also offered as part of a malware-as-a-service (MaaS) scheme to other cybercriminals, with approximately 100 unique threat actors having purchased these tools over the past three years.

EVLF has been operating a web shop since September 2022 to advertise their malware. CraxsRAT, specifically designed for Android devices, allows threat actors to control infected devices remotely from a Windows computer. The developer regularly releases updates based on customer feedback. The malware’s builder provides options for customization and obfuscation of the payload, choosing an icon and app name, as well as activating specific features and permissions upon installation.

CraxsRAT is considered one of the most dangerous RATs in the Android threat landscape, with features such as Google Play protect bypass, live screen view, and a command execution shell. The addition of the “Super Mod” feature makes it difficult for victims to uninstall the app, as attempting to do so crashes the page. The malware also requests victims to grant access to Android’s accessibility services, allowing it to collect valuable information like call logs, contacts, storage, location, and SMS messages.

EVLF has been identified as operating a Telegram channel called “EvLF Devz,” which was created on February 17, 2022, and currently has 10,678 subscribers. While some cracked versions of CraxsRAT can be found on GitHub, Microsoft has taken down several of them recently. However, EVLF’s GitHub account remains active.

In an August 23, 2023, message on the Telegram channel, EVLF announced that they would no longer be developing and posting due to personal circumstances. However, EVLF assured their customers that they would release some patches before discontinuing their activities.

The post Syrian Threat Actor EVLF Identified as Creator of Malware CypherRAT and CraxsRAT appeared first on satProviders.