Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello, May I Own Your Phone?

Anshuman
November 14, 2022
Research
0
150

Hello, May I Own Your Phone?

We (Aryan and I) presented these slides at the Bsides Delhi 2022 conference. In which we discussed a long-running scam campaign that targets BFSI sector customers and uses sophisticated RAT to steal customers' SMS and Call logs.

Anshuman

November 14, 2022
Tweet

More Decks by Anshuman

See All by Anshuman
Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India
0x1shu
0
230
My Journey to InfoSec
0x1shu
0
87

Other Decks in Research

See All in Research
Source Code Diff Revolution (JetBrains Open Reading Club)
tsantalis
0
240
第12回全日本コンピュータビジョン勉強会:画像の自己教師あり学習における大規模データセット
naok615
0
490
[KDD2023論文読み会] BERT4CTR: An Efficient Framework to Combine Pre-trained Language Model with Non-textual Features for CTR Prediction / KDD2023 LY Tech Reading
shunk031
0
420
第4回ナレッジグラフ勉強会:ISWC2023論文読み会
kg_wakate
1
200
データで診て考える合志市の渋滞と公共交通 ~めざせ 車1割削減、渋滞半減、公共交通2倍~
trafficbrain
0
450
10-ot-generic-bio.pdf
gpeyre
0
120
FMP L3 Year 1 Project Proposal
haiinya
0
150
CSC590 Lecture 01
javiergs
PRO
0
130
クリック率を最大化しない推薦システム
joisino
41
14k
[2023 CCSE] ZOZOTOWN検索における 研究開発の取り組みについて
tomoyayama
0
120
First Authorに俺はなるっ!! IROS’23 CCC2023 FY
shota_nishiyama
0
170
Webスケールデータセットに対する実用的なポイズニング手法 / Poisoning Web-Scale Training Datasets is Practical
nttcom
0
110

Featured

See All Featured
Side Projects
sachag
451
41k
Gamification - CAS2011
davidbonilla
76
4.6k
The Brand Is Dead. Long Live the Brand.
mthomps
48
26k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
16
6.3k
GraphQLの誤解/rethinking-graphql
sonatard
49
9.2k
Building Your Own Lightsaber
phodgson
97
5.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
12
1.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
The Cult of Friendly URLs
andyhume
73
5.6k
4 Signs Your Business is Dying
shpigford
175
21k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k

Transcript

  1. 2022 Hello, May I Own Your Phone?

  2. Who are we? Aryan Singh • Sr. Threat Researcher 1

    @CloudSEK Anshuman Das • Cyber Threat Researcher @CloudSEK • Co-Author @securityzines.com Twitter: twitter.com/0x1shu LinkedIn: linkedin.com/in/0x1shu LinkedIn: linkedin.com/in/aryan-singh-me

  3. Agenda • Classical scams in India • Our Research •

    The Malware • Evolution Over Time • Similar Campaign • Q&A

  4. Credit:

  5. Our Research • Evolution of Cybercriminals in India • Threat

    Actors shifting to sophisticated TTPs • Skilled folks moving into or supporting Cybercriminals • Threat actors are embracing new Technology at rapid rates

  6. The Malware

  7. Delivery Mechanism • Smishing • URL Shortener

  8. Features of the Malware

  9. None

  10. Persistence Mechanism

  11. Data Exfiltration Sending SMS to C2 Server Exfiltrating Call Logs

  12. Put Device on Silent C2 Server

  13. Deletion of SMS Deleting SMS

  14. Encrypted Data Exfiltration Encryption Function Key

  15. Banking Credentials C2 Server Post-infection Attack Chain

  16. C2 Server cmd_silent Init. Transaction Bank

  17. C2 Server Bank OTP:12345 cmd_upload_sms OTP:12345 Transaction Complete

  18. C2 Server cmd_delete_sms Bank OTP:12345

  19. Evolution Over time Type 1 <bank-name>reward/s.TLD <bank-name>point/s.TLD Type 2 <random

    characters>.TLD <generic-names>.TLD Type 3 e.g. XYZrewards.com XYZpoints.in e.g. kjasjdkakhasd87219382.link e.g. cashpoints.in Delivery Mechanism

  20. Evolved Malware Features in initial version Features addition in newer

    version

  21. Similar Campaign

  22. None
  23. None