Turkish Government website spreads Android RAT! Well, that’s what the cybercriminals wanted us to believe.
Cyble Research & Intelligence Labs (CRIL) has uncovered a phishing site that spoofs the Turkish Government website, which deceives unsuspecting users and distributes a dangerous Android Remote Access Trojan (RAT).
The phishing site, hxxps://scanyalx[.]online, masquerades as a legitimate government platform from Turkey, specifically impersonating the e-Devlet kapısı (turkiye.gov.tr) website.
The e-Devlet kapısı is a genuine government site in Turkey, providing citizens with access to various government services, including social security documents, forensic clearance, traffic bills, tax debts, and more.
According to the CRIL report, the RAT’s ability to establish unauthorized access to infected devices, monitor user activity through keylogging, and control the device remotely through VNC poses significant risks to the privacy and security of victims.
Such malicious activities can result in the theft of sensitive personal and financial information, unauthorized access to confidential data, and potential compromise of other devices connected to the same network.
Spoof Turkish Government Website Spreads Android RAT
The highly unlikely situation, where a Turkish Government website spreads Android RAT, was created exploiting the trust associated with the official platform with a replica.
Threat actors behind the campaign have crafted a deceptive phishing site that closely resembles the genuine government website, making it difficult for users to discern the fraudulent nature of the site.
The phishing site implements a clever tactic to deceive users by prompting them to verify returns for the Card Fee Payment System, requiring them to provide their identity information.
Upon entering their credentials, victims are redirected to another webpage displaying an alert regarding an outstanding amount of “5420 TL” (Turkish Lira). To receive an immediate refund for the payment, victims are instructed to download an application from the site.
Upon clicking the “Click to Download” button, the phishing site initiates the download of a malicious APK file named “edevletiadesistemi.apk.”
Interestingly, it has been observed that the malicious APK file is downloaded with different names, such as “edevlet.apk” and “cimer.apk,” each time victims enter their credentials and visit the download page.
“Upon further examination of the downloaded malicious file, it has been determined that the malware is a RAT that operates based on commands received from a Command and Control (C&C) server,” said the CRIL report.
“What makes this RAT particularly dangerous is its advanced functionality, including features such as VNC (Virtual Network Computing) and keylogging, enabling it to carry out a wide range of malicious activities covertly without raising suspicion.”
Technical analysis of the malicious APK file
In a deceptively simple process, victims are instructed to download an application from the site.
When the app is run, it unpacks a file called “classes2.dex” from the assets folder. This file contains classes that were missing from the main application file. The app uses this additional file to load the necessary classes and function properly.
After installation, the app loads an HTML file named “pmuxmlpr.html” from the assets folder. This file is displayed within a WebView, showing a message to the user. The message asks the user to complete an application and make an inquiry.
When the user clicks on the message, the app prompts the user to enable the Accessibility service on their device. Once enabled, the app exploits this service to carry out its malicious activities without the user’s knowledge.
These activities include preventing uninstallation, keylogging (recording keystrokes), and granting permissions without user consent, said the report.
The app establishes communication with a Telegram account link to fetch the address of a Command and Control (C&C) server. It tries multiple links until it finds an active C&C server. The C&C server is used for further operations and malicious activities.
The RAT (Remote Access Trojan) performs various malicious actions based on commands received from the C&C server.
These actions include starting a Virtual Network Computing (VNC) service, stealing SMS messages, executing commands, collecting keylogs, launching or deleting applications, sending SMS messages, collecting contacts, and more. The RAT heavily relies on the Accessibility service to carry out these activities.
By incorporating VNC functionality, the RAT gains the ability to execute unauthorized transactions, exfiltrate sensitive data, and interact with the user interface of targeted applications.
The RAT also manipulates the clipboard’s content, initiates phone calls, and collects personally identifiable information (PII) from the infected device. The stolen data is transmitted back to the C&C server.
Overall, the RAT is fully operational and capable of carrying out various malicious activities, compromising the privacy and security of the infected device and the unsuspecting user who fell for the spurious Turkish Government website spreading Android RAT.
