Latest RAT Variant Incorporates VNC and Keylogging Features
In the ever-expanding digital landscape, where our lives are increasingly intertwined with technology, threats to our online security have become more prevalent than ever before. Phishing attacks, in particular, have emerged as a nefarious method employed by cybercriminals to trick unsuspecting users into revealing sensitive information or unknowingly downloading malware onto their devices.
Cyble Research & Intelligence Labs (CRIL) recently identified a phishing site hxxps://scanyalx[.]online masquerading as a legitimate government platform from Turkey which not only aims to deceive users but also distributes a dangerous Android Remote Access Trojan (RAT).
The phishing site impersonates a genuine government site from Turkey named “e-Devlet kapısı (turkiye.gov.tr)”. This government site provides a platform to access government services such as social security documents, forensic clearance, traffic bills, tax debts, and many more.
The Threat Actor (TA) behind this campaign has precisely crafted a phishing site that bears a striking resemblance to a genuine government website, deceiving unsuspecting users into believing they are engaging with a legitimate organization. The phishing site employs a clever tactic, prompting users to verify returns for the Card Fee Payment System by providing their identity information.
After the victim enters their credentials, the phishing site proceeds to open the next webpage. This webpage notifies the victim about the due amount of “5420 TL” and prompts them to download an application in order to receive an immediate refund for the payment. The provided figure illustrates this situation.
When the victim clicks on the “Click to Download” button, the phishing site initiates the download of a malicious APK file named “edevletiadesistemi.apk”. Interestingly, we have noticed that each time victims enter their credentials and visit the download page, the malicious APK file is downloaded with a different name, such as “edevlet.apk” and “cimer.apk”.
Upon further examination of the downloaded malicious file, it has been determined that the malware is a RAT that operates based on commands received from a Command and Control (C&C) server. What makes this RAT particularly dangerous is its advanced functionality, including features such as VNC (Virtual Network Computing) and keylogging, enabling it to carry out a wide range of malicious activities covertly without raising suspicion.
In the technical analysis section, we delve into a detailed description of the RAT’s features, shedding light on how it operates and the potential risks it poses.
Technical Analysis
APK Metadata Information  
- App Name: Aidat Ä°adesi
- Package Name: com.wraraooezwnvxnzd.tdjfjskljirvxhpbj
- SHA256 Hash: 414ea005199ba221c0048a4a7c544ae3e0891c9fe1634bbfc0cd6f3938b5f029
  
The below figure shows the metadata information of the application. 
The absence of components other than the application’s subclass in the Manifest file suggests that the application is packed. As a result, when the application is run, it unpacks the DEX file found in the assets folder and proceeds to load the classes it contains.
The dropped DEX file in the zip folder “secondary-dexes/base.apk.classes2.zip”, named “classes2.dex,” contains all the classes that were missing.
After installation, the RAT loads an HTML file called “pmuxmlpr.html” from the assets folder. This HTML file is then displayed within a WebView, showing a message that says “BaÅŸvuruyu Tamamla Ve Sorgulama Yap!” (which translates to “Complete the Application and Make an Inquiry!”).
Upon clicking on the message, the RAT prompts the user to enable the Accessibility service. Once enabled, the malware exploits this service to carry out its malicious activities, including preventing uninstallation, keylogging, and granting permissions without the user’s knowledge.
Subsequently, the RAT establishes communication with a Telegram account link to fetch the C&C server address from the webpage. The malware includes three links in its code, consisting of two Telegram account links and one icq account link. It tries to connect all the available links until it receives an active C&C server, allowing it to fetch and establish a connection with the C&C server for further operations and malicious activities.
TAs commonly employ this tactic to conceal the C&C server and avoid detection. In this scenario, RAT retrieves an encrypted value from the Telegram account. Subsequently, it decrypts this value and establishes a connection with the actual C&C server hxxps://a2a2a2a[.]life/sk.
The RAT performs a range of malicious operations upon receiving commands from the C&C server. These activities include keylogging, gathering sensitive data, initiating VNC (Virtual Network Computing), and various others.
Below is a list of the commands utilized by the RAT to carry out its malicious activities.
| Command | Description |
| actvnc | Starts VNC service |
| allsms | Steals SMS |
| bloapp | Receives application name to stop execution |
| keylog | Collects keylogs |
| fillfocus | Enter a value in a text edit field |
| remjob | Execute commands |
| runapp | Launch application |
| trasms | Steal incoming SMS |
| permdrawover | Prompts the user to grant overlay permissions |
| permbat | Prompts the user to grant battery optimization permission |
| copyclip | Copy text to clipboard |
| unbloapp | Removes package name from BLOCK_APP list |
| updateinfo | Send updated stolen data |
| ini | Send basic device information |
| log | Get status value |
| reg | Get USER_SECRETE shared preference value |
| call | Calls from the infected device |
| ghost | Gets Accessibility node information |
| lockscr | Locks screen |
| permperm | Prompts to grant permission based on value received from the server |
| instapps | Collects installed application package names |
| permwrite | Prompts to grant permission to modify system settings |
| singlelock | Perform global action |
| setbright | Modify brightness |
| remprot | Uninstall application |
| mutesound | Mute audio |
| getcontacts | Collect contacts |
| destroy | Delete application |
| sendsms | Send an SMS from an infected device |
The RAT heavily depends on the Accessibility service to carry out its malicious activities. In a particular scenario, when the malware receives a command called “Ghost” from the C&C server. Upon receiving this command, the malware captures all the information about the active window on the infected device, including text and other user interface (UI) components, as depicted in the figure below.
Virtual Network Computing (VNC) has become a popular tool among Android malware developers, enhancing the RAT capabilities of their creations. The RAT cleverly incorporates VNC functionality into its arsenal. When the RAT receives the command “actVNC,” it springs into action, initiating VNC. This powerful feature empowers the RAT to execute a surplus of malicious activities, ranging from executing unauthorized transactions to silently exfiltrating sensitive data. The incorporation of VNC not only makes the RAT more sophisticated but also raises concerns about the potential impact it can have on unsuspecting victims.
To implement the VNC feature, the malware utilizes a readily available open-source Android library called “rtmp-rtsp-stream-client-java”, which offers the capability to stream audio and video content and abuses Accessibility service to interact with UI elements to perform operations.
Furthermore, the malware can manipulate the text edit field within the targeted application running on the infected device. This feature may enable the TA to engage in fraudulent activities by monitoring VNC streaming and exploiting the Accessibility Service to interact with the application.
Likewise, RATs can modify the clipboard’s content according to commands received from the C&C server. The provided code snippet demonstrates how the malware assigns the received value from the C&C server to the clipboard. By manipulating the clipboard’s content, the malware can carry out unauthorized transactions without the user’s awareness.
Upon receiving the command “sendsms,” the RAT proceeds to send an SMS from an infected device to the phone number specified by the C&C server. The SMS body content is also obtained from the C&C server, as depicted in the figure below. The malware may utilize this SMS functionality to distribute itself by sending messages to the contacts of victims or subscribing them to premium services without their knowledge or consent.
Also, the malware is capable of initiating phone calls from an infected device to the number provided by the C&C server without any user interaction when the command “call” is received.
Additionally, the RAT gathers Personally Identifiable Information (PII) from the infected device, including contacts, SMS messages, basic device details, and the package names of installed applications. Subsequently, the malware proceeds to transmit the stolen data to the C&C server.
The RAT carries out various actions, including launching or deleting applications, muting the device, adjusting brightness settings, requesting permissions, executing commands, and more. These capabilities demonstrate that the RAT is fully operational and capable of carrying out malicious activities.
Conclusion
TAs often employ tactics of impersonation, specifically targeting trusted entities such as government agencies or well-known institutions. By exploiting individuals’ unwavering trust in these organizations, TAs craft highly deceptive phishing websites and distribute malware to unsuspecting victims. In this particular scenario, the TA utilizes the Turkish Government website as a lure, enticing individuals into unwittingly downloading a dangerous RAT. This RAT possesses the capability to execute advanced features like VNC, enabling cybercriminals to carry out a range of malicious activities.
The stealthy nature of this RAT raises significant concerns. Its ability to operate covertly and receive commands from a remote server grants cybercriminals the freedom to engage in nefarious actions without fear of detection. The potential consequences for victims can be severe. It is essential for individuals to maintain a state of vigilance and continually educate themselves about the threats that exist within the online landscape. By remaining aware of the existence of phishing sites and their deceptive techniques, users can proactively safeguard themselves against falling prey to such scams.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1623.001 | Command and Scripting Interpreter: Unix Shell |
| Persistence | T1624.001 | Event-Triggered Execution: Broadcast Receivers |
| Defense Evasion | T1630.001 | Indicator Removal on Host: Uninstall Malicious Application |
| Impact | T1516 | Input Injection |
| Collection | T1417.001 | Input Capture: Keylogging |
| Collection | T1616 | Call Control |
| Collection | T1636.003 | Protected User Data: Contact List |
| Collection | T1636.004 | Protected User Data: SMS Messages |
| Discovery | T1418 | Software Discovery |
| Exfiltration | T1412 | Exfiltration Over C2 Channel |
| Impact | T1641 | Data Manipulation |
| Impact | T1582 | SMS Control |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 414ea005199ba221c0048a4a7c544ae3e0891c9fe1634bbfc0cd6f3938b5f029 | SHA256 | edevletiadesistemi.apk |
| 27fc0d3baddc7070f9e35a4c7f1d349435041949 | SHA1 | edevletiadesistemi.apk |
| 53970ff7dd8edaec7fc0cdd030c0b038 | MD5 | edevletiadesistemi.apk |
| 68b56ef06b2c9403ade11bebef939fa4e754f44647cd2e313355568f87739942 | SHA256 | Cimer.apk |
| d537bc931f4e967269502e0c764cf623a18e1735 | SHA1 | Cimer.apk |
| e69248a7308436d8c6dde803c22821cb | MD5 | Cimer.apk |
| 68035c06c9ee1076a40d270029522dd21136e5c4bbec534768d2296af2212062 | SHA256 | edevlet.apk |
| efabb77fa3b4f745b796043e23a853d905692151 | SHA1 | edevlet.apk |
| 0b4b6c0cbeb4ed114bed28960aaa6af0 | MD5 | edevlet.apk |
| hxxps://t[.]me/pempeppepepep | URL | Webpage to fetch C&C address |
| hxxps://icq[.]im/AoLH58pXY8ejJTQiWg8 | URL | Webpage to fetch C&C address |
| hxxps://t[.]me/xpembeppep2p2 | URL | Webpage to fetch C&C address |
| hxxps://a2a2a2a[.]life/sk | URL | C&C server |
