Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Multi-Platform RAT OmniRAT Used to Hijack Devices

Researchers at Avast have conducted a brief analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used for malicious purposes.

Researchers at Avast have conducted a brief analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used for malicious purposes.

OmniRAT is openly promoted as a remote administration tool that works on devices running Android, Windows, Linux and Mac OS X. OmniRAT servers and clients are currently sold for $25 and $50, a price that includes a lifetime license and lifetime support.

The tool, which is allegedly made in Germany, is not advertised for malicious purposes, but experts from Avast have seen it being distributed and used by cybercriminals as a remote access Trojan.OmniRAT

In an attack described on a German tech forum, a user reported that his Android device became infected with what Avast researchers determined to be OmniRAT. In a blog post published on Thursday, Avast mobile malware analyst Nikolaos Chrysaidos revealed that the threat has been distributed via social engineering.

In the case of the German user, the attackers sent him an SMS claiming that he had received an MMS that cannot be sent directly due to the Android StageFright vulnerability, for which experts had previously warned that exploits could be delivered via MMS.

The malicious SMS contained a shortened link pointing to a website where the victim was instructed to enter a code and their phone number. Once the code and the number were entered, victims had been served an APK that loaded an icon labeled “MMS Retrieve” when installed. The OmniRAT installation process would begin when this icon was tapped.

Chrysaidos has pointed out that in such cases the malware is not installed automatically, but instead the victim has to manually install it and accept a long list of permissions that it requests.

“The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server,” Chrysaidos said. “Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”

In the case of the German user who reported the OmniRAT attack, the data collected from the infected device was sent back to a command and control (C&C) server in Russia.

Advertisement. Scroll to continue reading.

OmniRAT is similar to DroidJack, a RAT that was initially developed as a legitimate application for remotely controlling Android devices, but was later turned by its creators into a crimeware tool. Symantec reported in November 2014 that it had traced the developers of DroidJack, whose retail price is $210, to India.

Last month, authorities in five European countries launched an operation against people who had acquired and used DroidJack to spy on others.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights