The Rise of Raton: From NFC Heists to Remote Control and ATS

MITRE Techniques

• [T1204] User Execution – Malicious dropper hosted on adult-themed domains trick victims into installing a third-party installer via a WebView and an install button (“…the web page can call the installApk function if the victim presses corresponding button…”).
• [T1476] Install Root Certificate (similar capability via Accessibility abuse to alter system settings) – The dropper requests permission to install apps from unknown sources and the payload requests System Settings management to change ringtone and other settings (“…will request the permission from the victim to install applications from third party sources…”).
• [T1547] Boot or Logon Autostart Execution – The trojan registers Accessibility service and Device Admin privileges to persist and operate in the background (“…ask for two main permissions…Accessibility service access and Device Admin privilege…starting from this moment, the trojan will start working in background…”).
• [T1110] Brute Force (credential access via intercepted PINs and forcing unlock) – The malware forces victims to re-enter unlock credentials by expiring passwords and disabling biometric fallback to capture PINs (“…Set current device unlock pin/pattern/password to expired…victim will have to immediately change it. So, it would be intercepted by attacker.”).
• [T1056] Input Capture – Keylogging and Accessibility-driven input capture to record wallet PINs and recovery phrases (“…The keylogger component will record revealed data and will send it to control server.”).
• [T1190] Exploit Public-Facing Application (abuse of WebView/HTML overlays) – Overlays hosted via WebView are used to present HTML/JS templates (ransom notes or bait pages) to deceive victims (“…Both types of overlays will be created by using WebView either by providing the URL or by providing corresponding HTML code.”).
• [T1021] Remote Services (remote control) – RatOn provides remote access capabilities including screen casting, sending screen state, and executing remote commands via JSON objects (“…screen_live Start sending current screen state… Each command comes as JSON object…”).
• [T1606] Forge Web Credentials (UI Automation to perform fraudulent transfers) – Automated money transfers are performed by programmatically interacting with bank app UI elements, auto-typing PINs and clicking buttons (“…the trojan will launch bank application and initiate payment by auto clicking on application interface elements…it will automatically type in the digital PIN code to confirm the transaction.”).
• [T1429] Service Stop (disable keyguard and lock device) – The malware can lock the device using Device Admin and disable biometric keyguard forcing PIN entry (“…Lock the device using Device administrator access…Force victim to unlock the device using PIN/Pattern or password instead of using biometrical authentication.”).