A new cyberespionage tool, suspected to have been developed and used by Chinese hackers, has been spotted by security researchers. The mobile spy malware, dubbed xRAT, is known to target political groups and comes with a wide range of data collection, espionage and security-evading features, making it an effective tool for cyberespionage hacker groups.
Since April, over 60 unique samples of xRAT have been found by security researchers at cybersecurity firm LookOut. The xRAT malware shares similarities with the high-profile Xsser/mRAT malware, which was previously used against pro-democracy Hong Kong activists in 2014.
In the past few months, researchers have also found new Android variants of the mRAT malware, indicating that the malware family is being constantly developed and used actively in various campaigns.
"These many similarities strongly suggest that mRAT and xRAT have been developed by the same threat actor. The command and control servers for xRAT are also linked to Windows malware, indicating that the malicious actors behind this threat are conducting multi-platform attacks against the PCs and mobile devices of targeted groups," LookOut researchers said in a blog.
"Initially when we started investigating [xRAT], our attribution suggested the actor behind it was likely Chinese, due to a combination of comments in the code, the types of apps being trojanised, and the location and whois details of command and control infrastructure," Michael Flossman told Cyberscoop. "Further analysis revealed a strong connection to mRAT. This supported our earlier theories on potential attribution given what's publicly known about those behind mRAT."
xRAT comes with a wide variety of data-stealing features. The malware also searches for data from popular Chinese messaging apps, including WeChat and QQ. The program can steal browser data, device metadata (including model, device ID, SIM number and manufacturer), text messages, contacts, call logs, Wi-Fi data, email login credentials, device geolocation data, SIM card data and more.
xRAT also runs a 'suicide function,' which when triggered will clean out its installation directory in order to avoid detection. The hackers operating the malware can remotely instruct it to delete images and audio files from SD cards, wipe a device clean (including large portions of the SD card and all apps) and more.
"The threat actor behind mRAT is still active on mobile despite having their surveillanceware capability put in the spotlight almost three years ago... they are clearly undeterred," Flossman said. "It's likely that they've taken what they've learnt during the mRAT campaign and incorporated it into the development of xRAT."