PJobRAT, an Android Remote Access Trojan (RAT), has resurfaced, targeting users in Taiwan through disguised messaging apps. This campaign, which spans over two years, showcases advancements in the malware’s capabilities, including the ability to execute shell commands. Users are advised to be wary of untrusted app installations. Affected: Android devices, Indian military personnel, Taiwan users
Keypoints :
- PJobRAT targets users via spoofed instant messaging apps like ‘SangaalLite’ and ‘CChat’.
- The campaign was active for at least 22 months, with limited infections primarily in Taiwan.
- The malware can steal sensitive data, including SMS, contacts, and files from infected devices.
- Threat actors used FCM and HTTP for communication with command-and-control servers.
- New functionalities allow executing shell commands, enhancing the malware’s operational control.
- Users are recommended to avoid installing apps from untrusted sources and use threat detection tools.
MITRE Techniques :
- Command and Control (T1071.001) – PJobRAT uses Firebase Cloud Messaging (FCM) and HTTP for communication with its C2 servers.
- Data from Information Repositories (T1213) – PJobRAT collects SMS, contacts, and files from the infected device.
- Remote File Copy (T1105) – The malware uploads sensitive data such as files and device information to C2 servers.
- Execute Command (T1059) – PJobRAT can run shell commands to gain greater control over the device.
Indicator of Compromise :
- [Domain] westvist[.]myftp[.]org
- [IoC Type] App Name: SangaalLite
- [IoC Type] App Name: CChat
- [File Hash] Andr/AndroRAT-M
- [IoC Type] IP Address: (Not explicitly mentioned, but based in Germany)
Full Story: https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/