Syria-based developer and malware-as-a-service operator "EVLF DEV" has been identified to be behind the CraxsRAT and CypherRAT remote access trojans, according to SecurityWeek.
At least 100 lifetime licenses of the prolific CraxsRAT Android RAT have been sold over the last three years, reported Cyfirma researchers. Aside from enabling precise device location retrieval and contact exfiltration, device storage access, and message and call log compromise could also be performed by CraxsRAT, which has a builder that not only facilitates highly obfuscated package generation and immediate installation but also the capability to prevent its removal on infected devices.
"In order to gain access to the devices screen and keystrokes, the app needs to enable its accessibility in settings. So, the builder allows the threat actor to edit the page which pops up right after the apps installation is completed," said Cyfirma.
Meanwhile, EVLF DEV had his earnings from the RATs in a cryptocurrency wallet frozen by Cyfirma, which was also able to determine the threat actor's real name and usernames, as well as his email address and IP address.
