Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello, May I Own Your Phone?

Anshuman
November 14, 2022

Hello, May I Own Your Phone?

We (Aryan and I) presented these slides at the Bsides Delhi 2022 conference. In which we discussed a long-running scam campaign that targets BFSI sector customers and uses sophisticated RAT to steal customers' SMS and Call logs.

Anshuman

November 14, 2022
Tweet

More Decks by Anshuman

Other Decks in Research

Transcript

  1. 2022
    Hello, May I Own
    Your Phone?

    View full-size slide

  2. Who are we?
    Aryan Singh
    ● Sr. Threat Researcher 1 @CloudSEK
    Anshuman Das
    ● Cyber Threat Researcher @CloudSEK
    ● Co-Author @securityzines.com
    Twitter: twitter.com/0x1shu
    LinkedIn: linkedin.com/in/0x1shu
    LinkedIn: linkedin.com/in/aryan-singh-me

    View full-size slide

  3. Agenda
    ● Classical scams in India
    ● Our Research
    ● The Malware
    ● Evolution Over Time
    ● Similar Campaign
    ● Q&A

    View full-size slide

  4. Our Research
    ● Evolution of Cybercriminals in India
    ● Threat Actors shifting to sophisticated TTPs
    ● Skilled folks moving into or supporting Cybercriminals
    ● Threat actors are embracing new Technology at rapid rates

    View full-size slide

  5. Delivery Mechanism
    ● Smishing
    ● URL Shortener

    View full-size slide

  6. Features of the
    Malware

    View full-size slide

  7. Persistence Mechanism

    View full-size slide

  8. Data Exfiltration Sending SMS to C2
    Server
    Exfiltrating Call
    Logs

    View full-size slide

  9. Put Device on Silent
    C2 Server

    View full-size slide

  10. Deletion of SMS
    Deleting SMS

    View full-size slide

  11. Encrypted Data Exfiltration
    Encryption
    Function
    Key

    View full-size slide

  12. Banking Credentials
    C2 Server
    Post-infection Attack Chain

    View full-size slide

  13. C2 Server
    cmd_silent Init. Transaction
    Bank

    View full-size slide

  14. C2 Server
    Bank
    OTP:12345
    cmd_upload_sms
    OTP:12345
    Transaction Complete

    View full-size slide

  15. C2 Server
    cmd_delete_sms
    Bank
    OTP:12345

    View full-size slide

  16. Evolution Over time
    Type 1 reward/s.TLD
    point/s.TLD
    Type 2 .TLD
    .TLD
    Type 3
    e.g. XYZrewards.com
    XYZpoints.in
    e.g. kjasjdkakhasd87219382.link
    e.g. cashpoints.in
    Delivery Mechanism

    View full-size slide

  17. Evolved Malware Features in
    initial version
    Features
    addition in
    newer version

    View full-size slide

  18. Similar Campaign

    View full-size slide