Cyfirma researchers unveiled the identity of the developer behind the CypherRAT and CraxsRAT remote access trojans (RATs). The cybersecurity company discovered a man using the handle ‘EVLF DEV’ has sold the two RATs out of Syria for eight years.
EVLF sold over 100 licenses to CraxsRAT, which remains a highly dangerous Android RAT in the wild. The tool allows threat actors to create highly customizable packages that bypass initial detections with limited install permissions. After the victim downloads the malicious package, the threat actor can gradually request additional permissions. The RAT can also crash pages on infected devices whenever a victim attempts to uninstall the application. While operational, the RAT reads keystrokes, messages, contacts, and call logs, and has access to the device’s storage and location. Cyfirma worked to freeze EVLF’s cryptocurrency wallet and discovered his personal information after he posted on a crypto discussion forum. The company believes he made over $75,000 selling the RATs and operating a malware-as-a-service business.
Read More: