Full Report
An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps. "PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices," Sophos security researcher Pankaj Kohli said in a Thursday analysis. PJobRAT, first
Analysis Summary
# Threat Actor: PJobRAT Operator(s)
## Attribution & Identity
The actor utilizing PJobRAT is not definitively attributed to a specific state-sponsored group in this summary, but past activity links the malware to:
* **SideCopy**: Described by Meta as a Pakistan-aligned threat actor, believed to be a sub-cluster within **Transparent Tribe**.
## Activity Summary
The PJobRAT malware family, active since at least late 2019, was observed in a recent campaign (Jan 2023 – Oct 2024) targeting Android users in Taiwan. This campaign distributed the malware disguised as legitimate chat applications named SangaalLite and CChat, available via WordPress sites. This follows earlier documented targets, specifically Indian military personnel, indicating a pattern of espionage or information gathering. The latest observed campaign was relatively small in scope.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Social engineering via malicious chat applications (SangaalLite and CChat) masquerading as legitimate software, distributed via WordPress sites.
- **Persistence/Functionality:** Once installed, malicious apps request intrusive permissions and maintain background operation. They check C2 servers for updates upon startup.
- **Data Exfiltration:** Steals SMS messages, phone contacts, device/app information, documents, and media files.
- **Stealth/Evasion:** Utilizes accessibility services permissions to scrape content displayed on the device's screen.
- **Capability Enhancement:** The latest variant incorporates the ability to **run shell commands**, differentiating it from older versions that focused on WhatsApp message theft.
- **TTPs linked to SideCopy/Transparent Tribe (Historical):** Use of fictitious personas (typically young women) as romantic lures to build trust and trick targets into downloading malicious apps or clicking phishing links.
## Targeting
- **Sectors:** Government, military, and law enforcement (Historically: Indian military personnel; SideCopy targets: Afghan government, military, and law enforcement).
- **Geography:**
* Recent Campaign: Taiwan
* Historical: India, Afghanistan
- **Victims:** Android users in Taiwan; personnel with ties to military/government.
- **Malware Package Names (Recent Campaign):** `org.complexy.hard`, `com.happyho.app`, `sa.aangal.lite`, `net.over.simple`
## Tools & Infrastructure
- **Malware Families Used:** PJobRAT, Mayhem (mentioned historically in relation to SideCopy).
- **Infrastructure:** Command-and-control (C2) servers used to check for malware updates. Distribution occurred via multiple **WordPress sites**.
## Implications
The reappearance of PJobRAT, particularly with capabilities updated to include shell command execution, suggests continuous development and refinement by the affiliated threat actor(s). The shift in targeting from military personnel in South Asia to general users masked as chat applications in Taiwan indicates adaptability in disguise to facilitate initial access. The small scale of the latest campaign suggests highly specific targeting rather than broad spraying.
## Mitigations
- Exercise extreme caution when downloading communication or social applications from unofficial sources (third-party websites like WordPress).
- Implement strict mobile security policies regarding the granting of intrusive device permissions (especially accessibility services).
- Monitor network traffic for communication with unknown C2 servers from Android devices.
- Educate users, particularly employees in sensitive sectors, about social engineering tactics involving romantic lures or compelling social applications.