Return of ClayRat: Expanded Features and Techniques

MITRE Techniques

• [T1660 ] Phishing – Adversaries host phishing websites to distribute the spyware (‘phishing sites remain the primary distribution method’).
• [T1624.001 ] Event Triggered Execution: Broadcast Receivers – Malware registers broadcast receivers to process SMS and other events (‘It creates a broadcast receiver to receive SMS events’).
• [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware impersonates legitimate apps and services to avoid suspicion (‘Malware pretending to be apps such as Whatsapp,youtube etc’).
• [T1516 ] Input Injection – Malware programmatically mimics user interaction, performing clicks, swipes, and other gestures (‘Malware can mimic user interaction, perform clicks and various gestures, and input data’).
• [T1406.002 ] Obfuscated Files or Information: Software Packing – Uses obfuscation/packing and loads encrypted payloads at runtime (‘It is using obfuscation and loads the dex runtime’).
• [T1517 ] Access Notifications – Harvests active and interactive notifications for exfiltration (‘The malware can harvest interactive notifications and active notifications’).
• [T1417.001 ] Input Capture: Keylogging – Records keystrokes and lock-screen input via Accessibility events (‘It has a keylogger feature’).
• [T1417.002 ] Input Capture: GUI Input Capture – Captures displayed UI elements and input field contents through Accessibility Services (‘It is able to get the shown UI.’).
• [T1418 ] Software Discovery – Enumerates installed applications on the device (‘Malware collects installed application package list’).
• [T1426 ] System Information Discovery – Gathers device and battery information (‘The malware collects basic device info.’).
• [T1513 ] Screen Capture – Records or streams the device screen via MediaProjection and ImageReader (‘Malware can record screen content’).
• [T1512 ] Capture Camera – Takes pictures using the device camera (‘Malware opens camera and takes pictures’).
• [T1616 ] Call Control – Initiates and forwards calls from the victim device (‘Malware can make calls’).
• [T1636.002 ] Protected User Data: Call Log – Exfiltrates call logs from the device (‘Malware steals call logs’).
• [T1636.004 ] Protected User Data: SMS Messages – Reads and sends SMS messages from the infected device (‘Steals SMSs from the infected device’).
• [T1481.002 ] Web Service: Bidirectional Communication – Uses WebSocket-based communication for command-and-control and data transfer (‘It uses websocket communication to poll the TA’s server and get the commands to execute.’).
• [T1646 ] Exfiltration Over C2 Channel – Sends stolen data over the C2 channel to the attacker (‘Sending exfiltrated data over C&C server’).
• [T1582 ] SMS Control – Reads, resends, and sends SMS on behalf of the victim (‘It can read and send SMS.’).