Full Report
Hackers have been targeting users in Taiwan with PJobRAT malware delivered through malicious instant messaging apps, according to new research.
Analysis Summary
# Tool/Technique: PJobRAT
## Overview
PJobRAT is an Android Remote Access Trojan (RAT) that has been re-tooled and used in cyber-espionage campaigns. The latest campaign targeted users in Taiwan, delivered via malicious instant messaging applications disguised as legitimate chat platforms.
## Technical Details
- Type: Malware family (RAT)
- Platform: Android
- Capabilities: Data exfiltration (SMS, contacts, device info, documents, media), extensive device control, persistence mechanisms, lateral movement potential, remote malware removal.
- First Seen: 2019
## MITRE ATT&CK Mapping
*Note: Mappings are derived from the described capabilities of a RAT.*
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Android Application Start-up Item
- *Implied by disabling battery optimization for continuous background execution.*
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0005 - Defense Evasion**
- T1564.003 - Hide Artifacts: Hidden Files and Directories (Implied by obfuscation/low profile seeking)
- **TA0006 - Credential Access**
- T1556.001 - Gather Victim Identity Information (Stealing contacts)
## Functionality
### Core Capabilities
- Stealing sensitive user data, including SMS messages, contacts, device information, documents, and media files.
- Requesting and maintaining extensive permissions on the infected device.
- Ensuring persistence by disabling battery optimization to run continuously in the background.
- Featuring basic chat functionalities to blend in with legitimate communication apps.
### Advanced Features
- Providing attackers greater control over infected devices compared to earlier versions.
- Ability to steal data from various installed applications.
- Potential to utilize compromised devices for network infiltration (lateral movement).
- Capability to remotely remove the malware after achieving its objective.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text, distributed via SangaalLite and CChat apps]
- Registry Keys: [Android context - not applicable in the Windows sense]
- Network Indicators: [Not provided in the text]
- Behavioral Indicators: Disabling battery optimization; exhibiting full remote access trojan behaviors post-installation.
## Associated Threat Actors
- Unspecified threat actors (linked to previous campaigns targeting Indian military personnel).
## Detection Methods
- *Signature-based detection:* Monitoring for known PJobRAT signatures or modified codebases.
- *Behavioral detection:* Monitoring for applications requesting extensive permissions, specifically disabling battery optimization, and exhibiting background data harvesting and remote control activity.
- *YARA rules:* [Not provided in the text]
## Mitigation Strategies
- Educating users about the risks associated with downloading applications from unofficial channels (WordPress hosting, third-party stores).
- Restricting installation origins; only allowing installation from the official Google Play Store.
- Reviewing and restricting the permissions granted to non-essential applications, particularly those requesting background execution privileges (like disabling battery optimization).
- Monitoring network egress traffic for unusual data transfers originating from mobile devices.
## Related Tools/Techniques
- Previous variants of PJobRAT.
- Use of social engineering via fake personas and phishing pages/shortened links for initial distribution.
- Similar Android malware utilizing masquerading (e.g., fake dating/messaging apps).