Turkish Government website spreads Android RAT! Well, that’s what the cybercriminals wanted us to believe.
Cyble Research & Intelligence Labs (CRIL) has uncovered a phishing site that spoofs the Turkish Government website, which deceives unsuspecting users and distributes a dangerous Android Remote Access Trojan (RAT).
The phishing site, hxxps://scanyalx[.]online, masquerades as a legitimate government platform from Turkey, specifically impersonating the e-Devlet kapısı (turkiye.gov.tr) website.
The e-Devlet kapısı is a genuine government site in Turkey, providing citizens with access to various government services, including social security documents, forensic clearance, traffic bills, tax debts, and more.
According to the CRIL report, the RAT’s ability to establish unauthorized access to infected devices, monitor user activity through keylogging, and control the device remotely through VNC poses significant risks to the privacy and security of victims.
Such malicious activities can result in the theft of sensitive personal and financial information, unauthorized access to confidential data, and potential compromise of other devices connected to the same network.
Spoof Turkish Government Website Spreads Android RAT
The highly unlikely situation, where a Turkish Government website spreads Android RAT, was created exploiting the trust associated with the official platform with a replica.
Threat actors behind the campaign have crafted a deceptive phishing site that closely resembles the genuine government website, making it difficult for users to discern the fraudulent nature of the site.
The phishing site implements a clever tactic to deceive users by prompting them to verify returns for the Card Fee Payment System, requiring them to provide their identity information.
Upon entering their credentials, victims are redirected to another webpage displaying an alert regarding an outstanding amount of “5420 TL” (Turkish Lira). To receive an immediate refund for the payment, victims are instructed to download an application from the site.
Upon clicking the “Click to Download” button, the phishing site initiates the download of a malicious APK file named “edevletiadesistemi.apk.”
Interestingly, it has been observed that the malicious APK file is downloaded with different names, such as “edevlet.apk” and “cimer.apk,” each time victims enter their credentials and visit the download page.
“Upon further examination of the downloaded malicious file, it has been determined that the malware is a RAT that operates based on commands received from a Command and Control (C&C) server,” said the CRIL report.
“What makes this RAT particularly dangerous is its advanced functionality, including features such as VNC (Virtual Network Computing) and keylogging, enabling it to carry out a wide range of malicious activities covertly without raising suspicion.”
Technical analysis of the malicious APK file
In a deceptively simple process, victims are instructed to download an application from the site.