Threat Profile

Malware Type: RAT / Backdoor / Spyware
Platform: Android
Origin: Based on leaked Spymax code (SpyNote)
Threat Actor: EVLF (Believed Syria-based)

Executive Summary & Overview

The mobile landscape continues to be a fertile ground for sophisticated surveillance tools. As users increasingly rely on their Android devices for everything from banking to social interaction, the threat of Remote Access Trojans (RATs) escalates daily. One of the most aggressive and rapidly evolving threats currently dominating the Southeast Asian market is CraxsRAT, also known by analysts as G700 RAT.

CraxsRAT is a powerful, multifaceted Android backdoor. It did not emerge in a vacuum; it evolved directly from the Spymax RAT (formerly known as SpyNote) after its source code was leaked in 2020. This evolution has allowed the threat actor, identified as "EVLF" (believed to operate out of Syria), to significantly enhance its capabilities and refine its targeting mechanisms. The latest identified version, CraxsRAT v7.5, released in April 2024, showcases a heightened level of stealth and persistence, making it a serious threat to both individuals and corporate entities.

Geographic Targeting & Infection Vectors

While initially gaining notoriety through the intense Singapore campaign that began around April 2023, CraxsRAT's reach extends far beyond the Lion City, targeting users across Indonesia, Malaysia, Thailand, and globally.

The threat actors are highly adept at exploiting local trust and habits. They impersonate various trusted brands and services to lure victims into downloading the malicious payload.

Targeted Impersonation Campaigns

CraxsRAT utilizes fake applications masquerading as:

• Local shopping platforms (e.g., fake e-commerce storefronts).
• Anti-scam or fraud detection centers.
• Popular food delivery services (e.g., Grab & Go).
• Regional retail chains (e.g., 1st Mall, SG-Furniture).

Primary Infection Vectors

The deployment of CraxsRAT is rarely random; it follows highly targeted campaigns utilizing several distribution methods:

• Phishing Links: Malicious URLs embedded in SMS or social media messages that prompt the user to "update" or "verify" an application.
• Malicious APKs: Direct distribution of the infected application package, often bypassing official store vetting.
• Social Media Advertisements: Fake ads appearing on platforms like Telegram, designed to look like legitimate promotional content for the impersonated brands.

Technical Analysis & Capabilities

CraxsRAT is not merely a simple keylogger; it is a complete remote control system. Once the malware gains root or elevated permissions, it establishes a persistent backdoor connection to the Command & Control (C2) server, granting the attacker comprehensive control over the victim's device.

Device Control Features

The core capabilities of CraxsRAT allow the attacker to execute nearly any action on the compromised device:

• Complete Remote Access: Full backdoor control via the C2 panel.
• Media Surveillance: Real-time access to the Camera and Microphone.
• Location Tracking: Precise GPS location retrieval.
• Data Exfiltration: Access to the entire File System (photos, documents, databases).
• Communication Monitoring: Logging and recording of Calls and SMS messages.
• Screen Monitoring: Full-screen recording functionality, capturing sensitive inputs like banking credentials.

Technical Implementation Details

The threat actor has implemented several advanced techniques to ensure stealth and resilience:

• Obfuscation: Critical C2 server details are often hidden using Base64 encoding, making static analysis and signature detection more difficult for security tools.
• Language Support: The RAT supports multiple languages, including English, Arabic, Turkish, and Simplified Chinese, directly correlating with its diverse global targeting strategy.
• C2 Infrastructure: Analysts have observed C2 servers running on Windows Server 2019, often configured with Chinese language settings, suggesting a likely operational base in East Asia or China.

Symptoms of Infection (How to Spot CraxsRAT)

If you suspect your Android device is compromised, look for these telltale signs:

• System Sluggishness: Noticeable slowing down of the device and general performance degradation.
• Battery Drain: Rapid, unexplained depletion of the battery, often due to the RAT running constantly in the background.
• Unexpected Activity: Random pop-ups, notifications, or the appearance of new, unknown applications.
• Surveillance Indicators: The camera or microphone activating randomly, even when the phone is idle.
• High Data Usage: A sudden, significant spike in background internet usage, indicating continuous data exfiltration to the C2 server.

Protection & Removal Strategies

Defending against CraxsRAT requires a multi-layered approach, tailored to whether you are an individual user or an enterprise organization.

For Individuals: Vigilance is Key

• Source Control: Only download applications from the official Google Play Store (or Apple Store). Be extremely cautious about sideloading APKs from unknown websites.
• Permission Audit: Before installing any app, meticulously review its requested permissions. Pay special attention to applications requesting "Accessibility Services"—this is a prime vector for RATs.
• Secure Banking: Use separate devices or virtual environments for highly sensitive banking and financial transactions whenever possible.
• Enable Defenses: Ensure Two-Factor Authentication (2FA) is active on all critical accounts and enable transaction alerts.

For Organizations: Hardening the Perimeter

• MTD/MDM Deployment: Mandate the use of Mobile Threat Defense (MTD) solutions or Mobile Device Management (MDM) platforms across the entire fleet to continuously monitor devices for malicious behavior.
• Employee Training: Conduct frequent, targeted training sessions focused specifically on recognizing phishing attempts and the danger of local brand impersonation (e.g., "Is this Grab & Go app official?").
• Network Segmentation: Isolate critical corporate devices and segment the mobile network to limit the lateral movement of the RAT should it be detected.

Removal Instructions

If infection is confirmed, take immediate action:

• Safe Mode Boot: Boot the device into Safe Mode to prevent the malware from loading fully, then proceed to identify and uninstall the malicious app.
• App Identification: Check the list of installed apps. If unsure, check the device's battery usage statistics to see which app is consuming the most power.
• Cache Clearing: Clear the browser cache and application caches, particularly those associated with social media or web browsers.
• Factory Reset: As a final, definitive measure, perform a factory reset. (Ensure all critical data is backed up first, though be aware that reinfection is possible if the malicious APK was backed up).

Conclusion & Call to Action

CraxsRAT represents more than just a piece of malware; it is a sophisticated, adaptable surveillance platform designed for maximum impact. From stealthily draining your battery to exfiltrating your bank login credentials, the threat is pervasive and severe.

The fact that EVLF continues to refine and release versions like v7.5 in April 2024 underscores that this is an ongoing arms race. Stay vigilant, enforce strict permission policies, and ensure your mobile defense tools are up to date. Do not assume that because your phone works, it is safe.

Frequently Asked Questions (FAQ)

Can CraxsRAT steal banking credentials?

Yes, absolutely. CraxsRAT is equipped with advanced capabilities, including keylogging and screen overlay attacks. These features allow the malware to capture keystrokes as you type your password or intercept the screen view precisely when you enter sensitive data into banking applications.

Does factory reset remove CraxsRAT?

Generally, yes. A full factory reset wipes the device partition clean, removing the malicious application and its persistence mechanisms. However, to guarantee complete removal and prevent immediate reinfection, ensure you do not restore from a backup that contains the malicious APK itself. Always perform a clean install and reinstall apps manually.