WolfRAT malware targets WhatsApp, Messenger


A new malware called “WolfRAT is targeting messaging apps, such as WhatsApp, Facebook Messenger and Line on Thai Android devices.

WolfRAT, according to the Cisco Talos intelligence team, is based on a leak of the previously leaked DenDroid malware family. Talos said in a blog post it highly believes that this modified version of the malware is operated by an outfit known as “Wolf Research,” appears to be closed ­but rebranded as “LokD,” posing an active threat.

In March, PC Risk reported that LokD belongs to the ransomware family called Djvu, which encrypts victim’s files, renames them and creates a ransom note. LokD renames encrypted files by appending the “.lokd” extension to their filenames.

Though WolfRAT mimics services such as Google service, GooglePlay or Flash updates for Thailand citizens, Talos reported the malware is most likely used as an intelligence-gathering tool for actors that can be packaged and sold, based on its tracking of Wolf Research’s past activities. 

Talos called the actor “surprisingly amateur” in that its actions use code overlaps and open-source project copy/paste.  

Campaigns targeting Thai users and their devices were identified with some of the C2 servers located in Thailand, Talos said. The panels contained Thai JavaScript comments and the domain names also contain references to Thai food, a tactic commonly employed to entice users to click/visit the C2 panels without much disruption.

During the VirusBulletin conference in 2018, CSIS researchers Bsenoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and its offensive arsenal, Talos noted. Ancel and Kuprins mentioned an Android, iOS and Windows remote-access tool (RAT). Their findings showed that Wolf is headquartered in Germany with offices in Cyprus, Bulgaria, Romania, India and (possibly) the U.S. Wolf closed after the CSIS presentation but reemerged based in Cyprus as the forementioned LokD.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.