Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello, May I Own Your Phone?

Anshuman
November 14, 2022

Hello, May I Own Your Phone?

We (Aryan and I) presented these slides at the Bsides Delhi 2022 conference. In which we discussed a long-running scam campaign that targets BFSI sector customers and uses sophisticated RAT to steal customers' SMS and Call logs.

Anshuman

November 14, 2022
Tweet

More Decks by Anshuman

Other Decks in Research

Transcript

  1. 2022 Hello, May I Own Your Phone?

  2. Who are we? Aryan Singh • Sr. Threat Researcher 1

    @CloudSEK Anshuman Das • Cyber Threat Researcher @CloudSEK • Co-Author @securityzines.com Twitter: twitter.com/0x1shu LinkedIn: linkedin.com/in/0x1shu LinkedIn: linkedin.com/in/aryan-singh-me
  3. Agenda • Classical scams in India • Our Research •

    The Malware • Evolution Over Time • Similar Campaign • Q&A
  4. Credit:

  5. Our Research • Evolution of Cybercriminals in India • Threat

    Actors shifting to sophisticated TTPs • Skilled folks moving into or supporting Cybercriminals • Threat actors are embracing new Technology at rapid rates
  6. The Malware

  7. Delivery Mechanism • Smishing • URL Shortener

  8. Features of the Malware

  9. None
  10. Persistence Mechanism

  11. Data Exfiltration Sending SMS to C2 Server Exfiltrating Call Logs

  12. Put Device on Silent C2 Server

  13. Deletion of SMS Deleting SMS

  14. Encrypted Data Exfiltration Encryption Function Key

  15. Banking Credentials C2 Server Post-infection Attack Chain

  16. C2 Server cmd_silent Init. Transaction Bank

  17. C2 Server Bank OTP:12345 cmd_upload_sms OTP:12345 Transaction Complete

  18. C2 Server cmd_delete_sms Bank OTP:12345

  19. Evolution Over time Type 1 <bank-name>reward/s.TLD <bank-name>point/s.TLD Type 2 <random

    characters>.TLD <generic-names>.TLD Type 3 e.g. XYZrewards.com XYZpoints.in e.g. kjasjdkakhasd87219382.link e.g. cashpoints.in Delivery Mechanism
  20. Evolved Malware Features in initial version Features addition in newer

    version
  21. Similar Campaign

  22. None
  23. None