Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

Anshuman
August 27, 2022
Research
0
120

Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

On 27th August 2022, at Null Bengalore Chapter, I have presented about various TTPs and Modus Operanies are being used by Threat Actors to target the customers of BFSI Sector.

More About the Talk.

Anshuman

August 27, 2022
Tweet

More Decks by Anshuman

See All by Anshuman
Hello, May I Own Your Phone?
0x1shu
0
110
My Journey to InfoSec
0x1shu
0
83

Other Decks in Research

See All in Research
法人データの取得と活用 #kazaneya / 20230425
kazaneya
PRO
3
610
Win ratioとは何か?
shuntaros
0
840
自然言語処理による論文執筆支援
kuribayashi4
0
310
[CV関東3D勉強会] TPVFormer ~マルチカメラを用いた自動運転の3D Occupancy Prediction~
inoichan
0
520
理科教育研究のパラダイム / Paradigms in Science Education Research
unzaih
0
140
第22回チャンピオンズミーティング・アクエリアス杯ラウンド2集計 / Umamusume Aquarius 2023 Round2
kitachan_black
0
910
NLP2023 分類タスクにおける不確実性の高い文章の傾向調査
masatoto
0
280
独立ベクトル分析によるオンライン音源分離・追跡のための高速最適化 / Fast online algorithms for independent vector analysis
taishi
0
130
埋め込み表現の意味適応による知識ベース語義曖昧性解消
s_mizuki_nlp
1
110
Off-Policy Evaluation and Learning for Large Action Spaces via Conjunct Effect Modeling (ICML23)
usaito
PRO
0
370
LayerXにおける機械学習を活用したOCR機能の改善に関する取り組み / layerx-jsai-2023
shimacos
1
210
Aqua beamer template
tasusu
1
320

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
234
10k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
Designing the Hi-DPI Web
ddemaree
273
33k
Side Projects
sachag
450
39k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.3k
Designing with Data
zakiwarfel
92
4.3k
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k
How to train your dragon (web standard)
notwaldorf
69
4.5k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
A designer walks into a library…
pauljervisheath
199
17k

Transcript

  1. Threat Actors are
    targeting
    ;;÷÷÷:÷:±÷:÷:÷÷
    ÷±*÷ ÷÷:÷÷:÷
    '
    u¥n↑"¥m%¥;;¥ii;;↑;NhJi
    i¥¥¥¥
    • %
    in
    i ! -00
    ɱ¥÷÷:÷÷÷÷
    ÷
    .
    .㱻÷÷÷É*㱻.÷¥
    .
    .
    -
    ¥÷÷÷÷÷÷÷÷:÷÷¥㱺
    ±
    "
    ¥n$hhµmmaann$•*1$k•§

    View Slide

  2. 🏍
    AAbboouuttllee.EE
    Anshuman (a.k.a @ ⑦xlshu
    ) ☒iE

    Cyber Threat Researcher @
    -
    Co -
    Author @ securityZines
    -
    BOBB
    ? T.EE?
    @⑦xlshu

    View Slide

  3. A-ggeennddaa
    •o
    Generic modus operandies
    • Improvised modus operandies
    .
    • Solutions ?
    MtW•±mp+±Bog§
    ⑦@①xlshu

    View Slide

  4. so
    Generic Modus Operandies
    so
    Improvised Modus Operandies
    A.
    '@0×1shu

    View Slide

  5. • scam through Phishing Domains
    [Traditional]
    Real Domain
    ,
    _
    -
    ✗ YZBankk.com
    GENETIC xykbank.com
    - - -
    xyz-Baank.com
    ]→Fake Domain
    \
    _
    -
    Xyz Bank
    .
    online
    - -
    i
    termed as
    Modus
    •☒
    Host the same
    content " Typosquatting"
    Operandi.es •
    credential Harvesting
    • sensitive data
    ①@①xlshu

    View Slide


  6. Using wishing smishing techniques
    your card has been
    blocked
    .
    To activate
    §
    bankk.com/ uploads
    --
    -
    -
    Generic ¥÷:÷÷:÷÷÷÷㱺±÷÷
    .
    .
    .
    .☒1÷i⑧㱺i÷÷¥I
    +
    ¥⑨amqzEB→g
    OR
    Modus
    -
    _
    Operandi.es
    /
    Calling from fake
    / customer care number
    . . .
    misused
    VR [Interactive Voice Response
    ]
    system
    @⑦xlshu

    View Slide

  7. Examples . . .
    [email protected]①xlshu

    View Slide


  8. Fake/Malicious app in 3rd party appstore
    ¥É÷☒* -
    -
    - -
    -

    _i☐¥Éi☒*-
    -
    - -
    -
    controlled by
    Generic Cloned Fake
    Original Application
    app, ; cation
    _÷_q¥☒ Threat Actor
    I
    :
    Modus ¥㱺⾨•-
    google play store
    Operandi.es 3rd party appstore
    [email protected]

    View Slide

  9. '
    Fake domain using randomized strings
    ☐ UPI Reward scam
    ☐ Improvised Customer Support scam
    ☐ simple SMS -
    Forwarder Malware
    ☐ Advance Banking Trojan
    ☐ Misusing cloudflare's legitimate services
    ☒ Reverse Tunnel Services
    _
    Trycloudflare
    ☐ JAM stack platform _
    cloudflare Pages
    ☐ Misusing Hostinger's Preview domain services
    ☐ Abusing Zoho form services

    View Slide


  10. Improvised Phishing Campaigns
    ① Phishing domain creation with random names
    Previouly
    . . .
    g- Real Domain
    ,
    -
    ✗ yz-Bankk.com
    -
    IMPROVISED xyatpsank.com/---xyzBaank.com)-Fake Domain
    -l__×yzBank.onlineNhhW
    Modus
    Operandi originaldomain.ee.xyzabcdk34ghkPZ.co#ne-aanegmm
    with
    xyzbank.com?----qjlmnoXPZllZXYXYZmyaphyabe
    "
    '
    -
    -
    -
    -
    qjlmnoxpzllzxy.in
    -
    P€8ef→ -
    ,
    ①@①xlshu

    View Slide

  11. '
    Fake domain using randomized strings
    UPI Reward scam
    ☐ Improvised Customer Support scam
    ☐ Simple SMS -
    Forwarder Malware
    ☐ Advance Banking Trojan
    ☐ Misusing cloudflare's legitimate services
    ☒ Reverse Tunnel Services
    _
    Trycloudflare
    ☐ JAM stack platform _
    cloudflare Pages
    ☐ Misusing Hostinger's Preview domain services
    ☐ Abusing 20h0 form services

    View Slide


  12. Improvised Phishing Campaigns
    ② Cashback scams / UPI scams
    %←t-Ñ--→__-_-→_-t
    -tˢˢˢ-→⑧↑
    Improvised
    Modus
    My
    Operandi
    §
    §ggggggggggggg
    zygomorphic
    @⑦xlshu

    View Slide

  13. aIIIrIIITSD
    TI

    Creating domains using keywords -
    § My cashback
    .
    cash◦
    Hers
    ,
    scratchdiwali
    • Copying the same
    template
    • Distributing via pretext ing
    ,
    µgggggggggggggggggµgn
    ggggggg-gggg.gg
    i
    payment will be
    only
    initiated if it is
    opened
    "
    on
    mobile device }
    manner
    }
    .

    View Slide

  14. '
    Fake domain using randomized strings
    UPI Reward scam
    Improvised Customer Support scam
    simple SMS -
    Forwarder Malware
    ☐ Advance Banking Trojan
    ☐ Misusing cloudflare's legitimate services
    ☒ Reverse Tunnel Services
    _
    Trycloudflare
    ☐ JAM stack platform _
    cloudflare Pages
    ☐ Misusing Hostinger's Preview domain services
    ☐ Abusing Zoho form services

    View Slide


  15. Improvised Phishing Campaigns
    Customer support scam
    1-
    improvised
    Modus
    operandi
    phishing domain is created without using
    any logo & name of the targeting entity
    @0×1Shu

    View Slide

  16. A
    How SMS -
    Forward works &
    misused by Threat Actors
    r
    ①@0×1Shu

    View Slide

  17. https://github.com/EnixCoda/SMS-Forward
    • used an open-source apk to build the malware
    &II÷
    Tt-_
    TTEo-
    | }
    ⊥IIEI--TTE-gg--gg
    fg g I o o -
    Requesting
    "
    Ugg"""
    " """""
    "°"
    M-ggggggg.gg

    View Slide

  18. '
    Fake domain using randomized strings
    UPI Reward scam
    Improvised Customer Support scam
    simple SMS -
    Forwarder Malware
    Advance Banking Trojan
    ☐ Misusing cloudflare's legitimate services
    ☒ Reverse Tunnel Services
    _
    Trycloudflare
    ☐ JAM stack platform _
    cloudflare Pages
    ☐ Misusing Hostinger's Preview domain services
    ☐ Abusing Zoho form services

    View Slide

  19. Matwagresendingsmstothecommandlcontroserver
    gggggggggggggggg.
    gg
    B.㱻.ʳRNRRggÉhf]

    View Slide

  20. T-kfo-ktkg.com
    m
    and
    !ontraserverᵗᵈk
    @0×[email protected]

    View Slide

  21. ¥7 Timeline of the Malware campaign
    D
    M
    t
    h
    -
    I
    f
    f
    t
    t
    t
    f
    o
    B.ggggggggg⊥
    @0×1Shu

    View Slide

  22. ezEEEEaEEeaEz→
    BqEBzBs→EETÑBFBÉ→_
    µ
    Thorington

    View Slide

  23. https://github.com/swagkarna/Rafel-Rat
    Clo
    nedfromanthoropen-sourceproJectgggg
    gg.am
    •s㱻:aagga•Bʰm

    View Slide

  24. """ᵗʳ㱻^☒**±☒*"
    " " "" " " "" " """ & ""
    STILL
    -LIFES
    -
    -11vii.
    ⊥_€go-
    screenshot d- the
    =
    www.na.nmg.me,
    ①@Oixlshu

    View Slide

  25. '
    Fake domain using randomized strings
    UPI Reward scam
    Improvised Customer Support scam
    simple SMS -
    Forwarder Malware
    Advance Banking Trojan
    Misusing cloudflare's legitimate services
    Reverse Tunnel Services
    _
    Trycloudflare
    ☐ JAM stack platform _
    cloudflare Pages
    ☐ Misusing Hostinger's Preview domain services
    ☐ Abusing Zoho form services

    View Slide


  26. Improvised Phishing Campaigns
    Misusing Reverse Tunnel services & urlshortners
    VICTIM
    1-
    improvised
    Attacker

    Trycloudflare
    Machine
    0.UA/Host.runhW---.;@--
    -
    -
    -
    -
    - -
    -
    -
    Modus ,☒☒€⑤-
    -
    - -

    ngrok
    '
    -
    -
    - - -
    É
    Operandi Hosting Phishing
    website on
    the local machine
    @⑦xlshu

    View Slide

  27. Ttlhhee Wwhhotee Piettuurree ☒ñ@D
    ①@0×1shu
    -

    View Slide

  28. 1-
    '
    㱻㱻-mm!/
    .

    View Slide

  29. '
    Fake domain using randomized strings
    UPI Reward scam
    Improvised Customer Support scam
    simple SMS -
    Forwarder Malware
    Advance Banking Trojan
    Misusing cloudflare's legitimate services
    Reverse Tunnel Services
    _
    Trycloudflare
    ☐↓ JAM stack platform _
    cloudflare Pages
    ☐ Misusing Hostinger's Preview domain services
    ☐ Abusing Zoho form services

    View Slide


  30. Misuse of Cloudflare Pages
    1AM Stack Platform
    javascript
    ftp.t tmarkup
    used to create
    Improvised
    example-
    ¥◦iᵗp¥eÉ"¥¥gressively
    Modus
    Operandi
    Net"ᵗY/free]
    Enhanced
    ☐BgfoBBB5§☐Img☒-
    E
    websites

    View Slide

  31. Benefiting
    Faster Performance Less expensive
    Faqq% 5B$
    Easy Development
    More Secure
    EEE㱺*•÷•
    @⑦xlshu

    View Slide

  32. Mmcodduuss Operandi
    original>
    ¥£Ñ_÷㱺
    website •
    pages.de/ A
    B
    g÷÷÷÷:÷÷j÷÷±÷--iaÉ㱻Ñr
    Mmnxer→☒㱺E¥TI
    ,
    A.
    €¥¥☒㱺7 uploads
    " cloned •yv•
    website
    victims
    @①xlshu

    View Slide

  33. '
    Fake domain using randomized strings
    UPI Reward scam
    Improvised Customer Support scam
    simple SMS -
    Forwarder Malware
    Advance Banking Trojan
    Misusing cloudflare's legitimate services
    Reverse Tunnel Services
    _
    Trycloudflare
    ☐✓ JAM stack platform _
    cloudflare Pages
    Misusing Hostinger's Preview domain services
    ☐ Abusing Zoho form services
    @0×1Shu

    View Slide

  34. mmissuusiinng.gl#oo$Hinngeerr$Prreevnieeww ⑤commainn F-eea
    #are
    ①@0×1Shu

    View Slide

  35. '
    Fake domain using randomized strings
    UPI Reward scam
    Improvised Customer Support scam
    simple SMS -
    Forwarder Malware
    Advance Banking Trojan
    Misusing cloudflare's legitimate services
    Reverse Tunnel Services
    _
    Trycloudflare
    ☐↓ JAM stack platform _
    cloudflare Pages
    Misusing Hostinger's Preview domain services
    Abusing Zoho form services
    @0×1Shu

    View Slide

  36. A-biassing Roko ffoorrmm Service $eaamm
    @0×1Shu

    View Slide

  37. Impact
    @⑦xlshu

    View Slide

  38. Impact
    @⑦xlshu

    View Slide


  39. •B Inclusive
    AAwweerrnneessssccaammppaaiiggnnss.CI


    Pprrooaaettiiwee ☒oonniittoorriinngg
    Using At-
    ML Based DRP
    %
    EE

    • TTrraaiinniinnggffoorrE-mmpkooyyeee.es -
    11%1%9
    SS
    ①@0×1Shu

    View Slide

  40. Think before You
    click anything :)
    [email protected]×1Shu

    View Slide