A new Android RAT (Remote Access Trojan) detected under the name of GhostCtrl can lock mobile device by resetting their PIN and display a ransom note to infected victims.
These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections, where the RAT was mostly used for its data exfiltration capabilities.
The GhostCtrl RAT was discovered by Trend Micro researchers part of a wave of attacks against Israeli healthcare organizations. The campaign targeted primarily Windows computers with RETADUP, a combination of a worm, infostealer, and backdoor trojan.
The group behind the campaign also targeted the Android devices of people involved with these organizations. The payload was the GhostCtrl RAT, which according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT and one of the few RATs that can target four major operating systems: Android, Linux, macOS, and Windows.
OmniRAT is one of the top RATs on the market, and sold through a Malware-as-a-Service portal, allowing anyone to compile his own versions.
All of OmniRAT's features are also included in GhostCtrl, making the latter a dangerous and very potent threat. Below is a summary of GhostCtrl's confirmed features, as per this Trend Micro report:
Furthermore, Trend Micro notes that it discovered the following features, which aren't commonly found in Android RATs, but where present in GhostCtrl:
Overall, GhostCtrl is one of the most advanced Android RATs ever seen, with features that imply this malware was developed by a threat actor with extended expertise in Android development.
Current evidence suggests this threat is used to pilfer data from healthcare organizations, either to sell on underground markets or to blackmail the hacked institutions. If all of these fail, GhostCtrl's ransomware feature could be used as a last ditch effort to obtain moeny from hacked devices.