A new Android RAT (Remote Access Trojan) detected under the name of GhostCtrl can lock mobile device by resetting their PIN and display a ransom note to infected victims.

These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections, where the RAT was mostly used for its data exfiltration capabilities.

GhostCtrl RAT used to hack healthcare organizations

The GhostCtrl RAT was discovered by Trend Micro researchers part of a wave of attacks against Israeli healthcare organizations. The campaign targeted primarily Windows computers with RETADUP, a combination of a worm, infostealer, and backdoor trojan.

The group behind the campaign also targeted the Android devices of people involved with these organizations. The payload was the GhostCtrl RAT, which according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT and one of the few RATs that can target four major operating systems: Android, Linux, macOS, and Windows.

OmniRAT is one of the top RATs on the market, and sold through a Malware-as-a-Service portal, allowing anyone to compile his own versions.

GhostCtrl is a top-shelve Android malware

All of OmniRAT's features are also included in GhostCtrl, making the latter a dangerous and very potent threat. Below is a summary of GhostCtrl's confirmed features, as per this Trend Micro report:

⬪ Ability to root infecte Android devices

⬪ Communicates with a remote C&C server

⬪ Control the Wi-Fi state

⬪ Monitor the phone sensors in real time

⬪ Set phone's UiMode, like night mode/car mode

⬪ Control the vibrate function, including the pattern and when it will vibrate

⬪ List the file information in the current directory and upload it to the C&C server

⬪ Delete a file in the indicated directory

⬪ Rename a file in the indicated directory

⬪ Upload a desired file to the C&C server

⬪ Download file

⬪ Download pictures as wallpaper

⬪ Create an indicated directory

⬪ Use the text to speech feature

⬪ Send SMS/MMS to a number specified by the attacker

⬪ Intercept SMS messages from phone numbers specified by the attacker

⬪ Delete SMS

⬪ Call a phone number indicated by the attacker

⬪ Record voice or audio, then upload it to the C&C server at a certain time

⬪ Delete browser history

⬪ Open apps

⬪ Control the system infrared transmitter

⬪ Run a shell command specified by the attacker and upload the output result

⬪ Collect call logs, SMS records, contacts, phone numbers, SIM serial number, location, browser bookmarks, Android OS version, username, Wi-Fi details, battery status, Bluetooth info, audio states, UiMode, service processes, activity information, clipboard data, wallpaper images, data from the camera, sensors, the browser, and searches, and many more.

Furthermore, Trend Micro notes that it discovered the following features, which aren't commonly found in Android RATs, but where present in GhostCtrl:

⬪ Clear/reset the password of an account specified by the attacker

⬪ Configure the phone to play different sound effects

⬪ Set specific content in the Clipboard

⬪ Customize notifications

⬪ Control the Bluetooth to search and connect to another device

⬪ Set the accessibility to TRUE and terminate an ongoing phone call

Overall, GhostCtrl is one of the most advanced Android RATs ever seen, with features that imply this malware was developed by a threat actor with extended expertise in Android development.

Current evidence suggests this threat is used to pilfer data from healthcare organizations, either to sell on underground markets or to blackmail the hacked institutions. If all of these fail, GhostCtrl's ransomware feature could be used as a last ditch effort to obtain moeny from hacked devices.

Image credits: LSE Designs, Jonathan Collie, Bleeping Computer.