A new malware called “WolfRAT is targeting messaging apps, such as WhatsApp, Facebook Messenger and Line on Thai Android devices.
WolfRAT, according to the Cisco Talos intelligence team, is based on a leak of the previously leaked DenDroid malware family. Talos said in a blog post it highly believes that this modified version of the malware is operated by an outfit known as “Wolf Research,” appears to be closed but rebranded as “LokD,” posing an active threat.
In March, PC Risk reported that LokD belongs to the ransomware family called Djvu, which encrypts victim’s files, renames them and creates a ransom note. LokD renames encrypted files by appending the “.lokd” extension to their filenames.
Though WolfRAT mimics services such as Google service, GooglePlay or Flash updates for Thailand citizens, Talos reported the malware is most likely used as an intelligence-gathering tool for actors that can be packaged and sold, based on its tracking of Wolf Research’s past activities.
Talos called the actor “surprisingly amateur” in that its actions use code overlaps and open-source project copy/paste.
During the VirusBulletin conference in 2018, CSIS researchers Bsenoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and its offensive arsenal, Talos noted. Ancel and Kuprins mentioned an Android, iOS and Windows remote-access tool (RAT). Their findings showed that Wolf is headquartered in Germany with offices in Cyprus, Bulgaria, Romania, India and (possibly) the U.S. Wolf closed after the CSIS presentation but reemerged based in Cyprus as the forementioned LokD.