Shortly after the COVID-19 pandemic began, there was a spike in threat infrastructure using the crisis to bait, deceive, and social engineer victims. Reports of threat campaigns attempting to fool Turkish-speaking users into downloading Android apps containing the Cerberus and Anubis banking trojans surfaced. Today, new RiskIQ data shows these attacks have not stopped, shedding light on the full extent of these campaigns.
In May 2020, threat researcher BushidoToken authored a blog pulling together multiple indicators, some appearing as early as April 2020, from researchers tracking Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal user credentials to access bank accounts. Highly deceptive, they can overlay over other apps (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive data across the device.
The campaigns exploited the pandemic to distribute malicious Android applications via web pages promising free internet packages to encourage people to stay home. To get the "free internet," users only had to install an application on their phones. In all, BushidoToken compiled 24 .apk filenames connected to the campaigns and a long list of domains and URLs. However, recent RiskIQ research shows these campaigns went on for much longer, with more infrastructure and tactics than outlined in May reporting.
We tapped our Internet Intelligence Graph to expand on these indicators, uncovering 532 hosts belonging to the group and adding new in-depth analysis of the campaign. We refer to this related activity as 'Turkey Dog.'
Turkey Dog Activity Has Spanned the Pandemic—And Hundreds of Domains
A year into the pandemic, Turkey Dog-related activity is ongoing with campaigns that continue to use the "free internet" lures. These current campaigns use lure pages that promise cash payments of thousands of Turkish Lira, purporting to be tied to the Turkish government. For example, according to Google Translate, the page below states, "Final Phase Pandemic Support Application - 3,000TL State Support for All Applicants!" Another features an image of Turkish Minister of Health Dr. Fahrettin Koca's imageKoca and promises 1,000 lira for "everyone applying!"
Some of the lure pages, like the ones described above, use whos.amung.us scripts for tracking purposes. With RiskIQ's Internet Intelligence Graph, we can use unique identifiers connected with these scripts to associate multiple Turkey Dog domains. For instance, a RiskIQ crawl of pandemidesteklerim[.]com observed the whos.amung.us ID loaded on the page, which we've seen on 431 hosts since April 26, 2020. We also found a Google Analytics tracking ID connected to 52 Turkey Dog domains since October 25, 2020.
Turkey Dog Copies Pages for Quick Distribution
Lure pages like the ones above appear on multiple domains. In some cases, the content was copied from one domain to another using the HTTrack website copier so they can be quickly replicated and deployed. In RiskIQ Community, we see several Turkey Dog domains that copied content from another malicious domain, tekmillet-trdiyalogweb-login[.]com.
Some of these pages and the mobile apps that help spread them were distributed through the messaging platform Discord via Twitter.
Turkey Dog Apps Can (Unfortunately) Do it All
Because RiskIQ regularly crawls malicious app distribution URLs based on various internal and external feeds, we can directly observe the lure pages used by malicious Android applications (the examples above are drawn from this crawling). We can also download the malicious .apks and submit them to VirusTotal for further insights such as external blacklist hits and store and index them for further internal research.
The mobile app landscape is likely teeming with Turkey Dog mobile apps. A quick search for blacklisted samples of one known Turkey Dog APK, "edestek.apk ("destek" is Turkish for "support")," yields 90 results from as many unique Turkey Dog URLs. All 90 of these samples can read, receive, and send SMS messages, allowing them to circumvent SMS two-factor authentication. Many of them can also record audio, perform full-screen overlays to present a false login page for harvesting banking credentials, and download additional software packages.
Defend Your Attack Surface from Threats Like Turkey Dog
A year later, cybercriminals continue to use the COVID-19 pandemic as a lure for victims. Turkey Dog activity has gone on unabated for months, likely claiming a significant group of victims and separating them from their banking login credentials and other sensitive information.
Cerberus and Anubis have surfaced in all corners of the cyberthreat landscape and have proven to be potent tools for their operators. RiskIQ's unique vantage point of the internet gives us code-level insight into the infrastructure surrounding these popular malware-as-a-service Trojans. Our Internet Intelligence Graph then shows how it's connected across the web so our customers can understand the scope of campaigns like Turkey Dog's, including their tools and tactics and how they evolve.