Arabic-Speaking Threat Actor Recycles the Source Code of Popular RAT SpyNote and Sells it in the Dark Web, as New

Arabic-Speaking Threat Actor Recycles the Source Code of Popular RAT SpyNote and Sells it in the Dark Web, as New

At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.

A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.

New Android RAT?

MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.[1]

The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016

It is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016. via @Verint_Cyber Click To Tweet

[2] The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok. 

Screenshot of MobiHok’s sales thread

learn more about leveraging past and present threat intelligence to prevent future cyber attacks here

A Deeper Dive into MobiHok v4

The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel),[3] since January 2019.

Screenshot of a MobiHok sales post from an Arab hacking forum

MobiHok’s dedicated Facebook page

Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000.[4] According to the screenshots displayed on the website, the malware features the following capabilities:

mobihok pricing

Mobihok Pricing

  • Control of the files
  • Control of the camera
  • Keylogging
  • Control of the SMS
  • Control of the contacts
  • Control of the apps
  • Control of the account/phone settings
  • Terminal
  • Bypass of Samsung security mechanisms
  • Bypass of Google Play security mechanisms
  • No “rooted” device required
  • The RAT can be bind to another APK app

To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.


[1] https://www.youtube.com/watch?v=RNI28UvNobI

[2] https://www.helpnetsecurity.com/2016/07/29/spynote-android-rat-builder-leaked/

[3] https://www.facebook.com/mobihok/; https://www.youtube.com/channel/UC893zQNWcl8KFc11KXyAXEQ 

[4] mobihok.com

Avatar

Author: Verint Cyber Threat Intelligence Research Team

Verint’s Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis. Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research team regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks