Threat Research

Unmasking – EVLF DEV-The Creator of CypherRAT and CraxsRAT – CYFIRMA

Securonix

CYFIRMA researchers uncover EVLF DEV, a MaaS operator behind CypherRAT and CraxsRAT, whose Android RATs have been licensed to over 100 buyers under a lifetime license. The report shows how these tools enable real-time remote control of victims’ devices, including location, camera, and screen access, with distribution via surface web shops and cracked variants used to broaden reach, and monetization through cryptocurrency. #EVLFDEV #CraxsRAT #CypherRAT #Cyfirma #Syria #Freewallet

Keypoints

  • EVLF DEV operates a surface web shop for CraxsRAT to legitimize its MaaS offering to potential buyers.
  • Some purchasers released cracked versions of CraxsRAT, expanding reach and enabling backdoored samples in the community.
  • All purchases are conducted in cryptocurrency to preserve buyer anonymity.
  • The operator is linked to Syria, with identified real-name, usernames, IP address, and email address.
  • CraxsRAT is positioned as an Android-only RAT; Windows samples advertised as loaders are believed to be prebackdoored builds.
  • CraxsRAT features include Google Play Protect bypass, live screen view, and a command-execution shell, increasing attack impact.
  • Technical analyses reveal obfuscated Android code, dangerous permissions, WebView injection, and live-location/screen-capture capabilities.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The code in the Android package generated from the CraxsRAT builder is highly obfuscated. “the code in the Android package generated from the CraxsRAT builder is highly obfuscated”
  • [T1113] Screen Capture – CraxsRAT enables live screen view and screen-related capabilities. “live screen view”
  • [T1056.001] Input Capture – The malware aims to gain access to the device’s screen and keystrokes. “to gain access to the device’s screen and keystrokes”
  • [T1562.001] Impair Defenses – The malware includes Google Play Protect bypass to avoid defenses. “Google Play protect bypass”
  • [T1566.001] Phishing – Campaigns such as phishing are used to distribute the RAT. “campaigns such as phishing”
  • [T1059] Command and Scripting Interpreter – The distribution includes a shell for command execution. “a shell for command execution”

Indicators of Compromise

  • [File Hash] CraxsRAT Builder – 410b70652f923b6b3a22bd5adb9b1ff3, af026551f12a602d95216e74433233595455fabf, and 1 more hash

Read more: https://www.cyfirma.com/outofband/unmasking-evlf-dev-the-creator-of-cypherrat-and-craxsrat/