Group-IB Helps Bust USD $25 Million RAT Fraud in Southeast Asia

Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today that it contributed to a joint operation by the Singapore Police Force (SPF), the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP). Dubbed “Operation DISTANTHILL”, it culminated in the arrest of the cyber fraud syndicates that were responsible for an Android Remote Access Trojan (RAT) campaign which gained notoriety in Singapore and Hong Kong in 2023. In the lead-up to the operation, Group-IB spent months collecting and analysing the data derived from the Android trojans, uncovering the scale of the cybercriminals network used for attacks and its administrators. More than 4,000 victims were defrauded across Southeast Asia. Among them, the Singapore police recorded 1,899 related cases in 2023 with a total loss of more than US$25 million.

As part of “Operation DISTANTHILL”, the HKPF apprehended 10 men and 4 women aged between 19 to 61 years old on charges of conspiring fraud and money laundering. In-depth analysis revealed at least 260 variants of the Remote Access Trojan stored on command and control (C2) servers in Hong Kong and other Southeast Asian countries. Between 12 to 13 June 2024, 2 men in Malaysia aged 26 and 47, suspected to be the main culprits behind the cyber-attacks and controllers of more than 50 servers used in the attack, were arrested in a joint cross-border operation led by the SPF and including the HKPF and the RMP.

During the course of investigating these campaigns, Group-IB’s High-Tech Crimes Investigation unit discovered that this Remote Access Trojan (RAT) targeted Android users through phishing campaigns, enticing victims to download and install fake apps onto their mobile devices. Based on Group-IB’s High-Tech Crime Trends Report 2023/2024, these apps were often disguised as offering special prices for goods and food items. Once installed and necessary permissions granted, the RAT allows threat actors remote control over the Android device, enabling them to capture sensitive personal data and passwords using its keylogger and screen capture functions. The RAT allowed threat actors to monitor SMS, containing one-time passwords (OTP) sent by financial organisations as a second-factor authentication.  Furthermore, the RAT facilitated real-time geolocation tracking of the device and its user. Operating discreetly in the background, it persists even after the Android device is rebooted. The same trojan has been advertised as a malware-as-a-service scheme, which has also claimed victims in different parts of the world, including the Middle East and Europe.

Group-IB’s High-Tech Crime Investigations played a pivotal role in the operation by analysing the malware-as-a-service campaign of the Android trojan used in the attacks and the threat actors who advertised the service. Group-IB specialists tracked the settings of over 250 phishing web pages, which facilitated the spread of fake Android apps. It also helped to find indicators of the phishing administrators, as well as to provide insights into the scale of the attacks and their victims. Employing Group-IB’s patented Graph Network Analysis technology, Group-IB specialists correlated command and control (C2) servers from over 100 malware samples, to paint a comprehensive picture of the threat actor’s network infrastructure and operators behind the scheme.

A screenshot of Group-IB’s Graph Network Analysis technology used in the investigation

“We are delighted to contribute to “Operation DISTANTHILL” and the dismantling of the malicious Android Trojan campaign. This successful operation is a testament to the power of collaboration between law enforcement agencies and the private sector in the fight against digital threats,” said Dmitry Volkov, CEO of Group-IB. “Through our worldwide network of Digital Crime Resistance Centers (DCRCs), including in Singapore, we are able to offer tailored solutions to address cybersecurity threats that are unique to our local client, businesses, and their customers. We encourage others to join us in fighting cybercrime, and by pooling our resources, expertise, and technology, we can strengthen global cybersecurity. This partnership underscores our shared mission to relentlessly pursue cybercriminals and protect individuals and businesses from evolving threats, reinforcing the vital importance of public-private collaboration in securing our digital future.”

“Group-IB’s dedication to cybersecurity, as a member of the Cyber Security Action Task Force (CSATF) established by the Hong Kong Police Force (HKPF), reflects the collective effort of both public and private sectors in safeguarding our digital landscape”, said Chief Inspector CHENG. “This collaboration unites to fortify our defences against evolving cyber threats. Through the rapid exchange of threat intelligence and knowledge sharing, it is ensured that a secure cyber environment for all. Group-IB’s invaluable contributions exemplify the spirit of cooperation essential in this endeavour.”

Group-IB is an APPACT partner of SPF and was recognised for its contributions to investigations in 2022 and 2023. Since 2024, Group-IB has been a member of the HKPF Cyber Security TaskForce.