AhRat
AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, "iRecorder – Screen Recorder", which itself was released in September 2021.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols | |
| Mobile | T1429 | Audio Capture | ||
| Mobile | T1398 | Boot or Logon Initialization Scripts |
AhRat can register with the |
|
| Mobile | T1533 | Data from Local System |
AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.[1] |
|
| Mobile | T1521 | Encrypted Channel | ||
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
AhRat can register with the |
| Mobile | T1646 | Exfiltration Over C2 Channel |
AhRat can exfiltrate collected data to the C2, such as audio recordings and files.[1] |
|
| Mobile | T1420 | File and Directory Discovery | ||
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1406 | Obfuscated Files or Information |
AhRat can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log | |
| .003 | Protected User Data: Contact List | |||
| Mobile | T1513 | Screen Capture | ||
| Mobile | T1582 | SMS Control | ||
| Mobile | T1426 | System Information Discovery |
AhRat can obtain device info such as manufacturer, device ID, OS version, and country.[1] |
|