Related Families: AhMyth
Executive Summary
AhRAT, an Android RAT, was disguised as the iRecorder app. This malicious version of the iRecorder app is capable of recording audio and exfiltrating files from a victim’s device.
Key Takeaways
- AhRAT is an Android RAT based on AhMyth.
- AhRAT was disguised as the iRecorder application.
- The iRecorder application was initially released in 2021 as a legitimate app, and malicious functionality was added in an update almost a year later.
- AhRAT is capable of exfiltrating files and recording audio on a victim's device.
What is AhRAT?
ESET recently reported on AhRAT, an Android RAT based on AhMyth. AhRAT is capable of exfiltrating files and recording audio on a victim's device.
AhRAT is delivered via a trojanized version of the iRecorder app, which was available on the Google Play store. To date, the app has over 50,000 installs.
AhRAT is a malicious spy app, capable of recording surrounding audio from the victim device’s microphone. It can upload both recorded audio and multiple file types to the threat actor’s C2, including saved webpages, images, audio, video, documents, and compressed file types. ESET researchers note this seems to indicate that AhRAT is part of an espionage campaign. However, they did not associate the malware with a particular threat actor or group. While AhRAT is based on AhMyth RAT, it includes only a fraction of the functionality available in AhMyth RAT.
While the original iRecorder app was not malicious and has been available since late 2021, the malicious functionality appears to have been added in August 2022. Whatever privileges and access the victim had already granted to the clean version of the app still applied to the updated, malicious version of the app, whether the victim manually or automatically updated the app. Since the malicious version of the app did not request additional permissions, victims were less likely to become suspicious of the app. ESET researchers noted it is unusual for developers to release a clean version of an app and follow up with an update containing malicious functionality almost a year later.
Google has removed the iRecorder app from the Google Play store.
PolySwarm Findings
PolySwarm’s research team discovered additional AhRAT samples, including several samples First Seen on PolySwarm. Our researchers noted that the app versions containing the malware element include versions 1.4.0, 1.4.2, and 2.0. While the original source report mentioned the hxxp[:]//80876dd5[.]shop C2, our researchers found the malware also communicating over port 22223. AhRAT is currently featured on our portal in Emerging Threats.
IOCs
PolySwarm has multiple samples of AhRAT.
2abf26d779ea1afa4dcc7147563907573e07fa9051ae4319cb864bdf752fa054 (First Seen)
A3bd07d51a610779046bc5fbe323c402d88ea6c83c487c9731306579f0f4a5be
24efa31f8e61e0d0f4761533dd86c967c07c15835b900b3d28712ec9840f81e5 (First Seen)
27ecadbcfaf249bec2ed0f1ad5f8471a4562175ed5dbea7008674401d65725ac (First Seen)
8fc6fef5774d3af1ad7e88267e0e05a0d571622d9a7f93b34526597859cbb7f6
e53061bbe39cd110c9237247042e5774b7b44d5caba331dead75b8900519413e
B2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260
Aa06b4f63fb8037e1f57a063f6a6b5fbe4615247458433c578644628e54a4216
You can use the following CLI command to search for all AhRAT samples in our portal:
$ polyswarm link list -f AhRAT
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports