1. Home
  2. Software
  3. WolfRAT

WolfRAT

WolfRAT is malware based on a leaked version of Dendroid that has primarily targeted Thai users. WolfRAT has most likely been operated by the now defunct organization Wolf Research.[1]

ID: S0489
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 20 July 2020
Last Modified: 11 September 2020
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

WolfRAT can receive system notifications.[1]
Mobile T1429 Audio Capture

WolfRAT can record call audio.[1]
Mobile T1533 Data from Local System

WolfRAT can collect user account, photos, browser history, and arbitrary files.[1]
Mobile T1407 Download New Code at Runtime

WolfRAT can update the running malware.[1]
Mobile T1630 .002 Indicator Removal on Host: File Deletion

WolfRAT can delete files from the device.[1]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

WolfRAT has masqueraded as "Google service", "GooglePlay", and "Flash update".[1]
Mobile T1406 Obfuscated Files or Information

WolfRAT’s code is obfuscated.[1]
Mobile T1424 Process Discovery

WolfRAT uses dumpsys to determine if certain applications are running.[1]
Mobile T1636 .002 Protected User Data: Call Log

WolfRAT can collect the device’s call log.[1]
.003 Protected User Data: Contact List

WolfRAT can collect the device’s contact list.[1]
.004 Protected User Data: SMS Messages

WolfRAT can collect SMS messages.[1]
Mobile T1513 Screen Capture

WolfRAT can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.[1]
Mobile T1582 SMS Control

WolfRAT can delete and send SMS messages.[1]
Mobile T1418 Software Discovery

WolfRAT can obtain a list of installed applications.[1]
Mobile T1422 System Network Configuration Discovery

WolfRAT sends the device’s IMEI with each exfiltration request.[1]
Mobile T1512 Video Capture

WolfRAT can take photos and videos.[1]
Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

WolfRAT can perform primitive emulation checks.[1]

References

  1. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.