Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

Transcript

1. Threat Actors are targeting ;;÷÷÷:÷:±÷:÷:÷÷ ÷±*÷ ÷÷:÷÷:÷ ' u¥n↑"¥m%¥;;¥ii;;↑;NhJi i¥¥¥¥

   • % in i ! -00 ɱ¥÷÷:÷÷÷÷ ÷ . .㱻÷÷÷É*㱻.÷¥ . . - ¥÷÷÷÷÷÷÷÷:÷÷¥㱺 ± " ¥n$hhµmmaann$•*1$k•§

2. 🏍 AAbboouuttllee.EE Anshuman (a.k.a @ ⑦xlshu ) ☒iE • Cyber

   Threat Researcher @ - Co - Author @ securityZines - BOBB ? T.EE? @⑦xlshu

3. A-ggeennddaa •o Generic modus operandies • Improvised modus operandies .

   • Solutions ? MtW•±mp+±Bog§ ⑦@①xlshu

4. so Generic Modus Operandies so Improvised Modus Operandies A. '@0×1shu

5. • scam through Phishing Domains [Traditional] Real Domain , _

   - ✗ YZBankk.com GENETIC xykbank.com - - - xyz-Baank.com ]→Fake Domain \ _ - Xyz Bank . online - - i termed as Modus •☒ Host the same content " Typosquatting" Operandi.es • credential Harvesting • sensitive data ①@①xlshu

6. • Using wishing smishing techniques your card has been blocked

   . To activate § bankk.com/ uploads -- - - Generic ¥÷:÷÷:÷÷÷÷㱺±÷÷ . . . .☒1÷i⑧㱺i÷÷¥I + ¥⑨amqzEB→g OR Modus - _ Operandi.es / Calling from fake / customer care number . . . misused VR [Interactive Voice Response ] system @⑦xlshu

7. Examples . . . He@①xlshu

8. • Fake/Malicious app in 3rd party appstore ¥É÷☒* - -

   - - - → _i☐¥Éi☒*- - - - - controlled by Generic Cloned Fake Original Application app, ; cation _÷_q¥☒ Threat Actor I : Modus ¥㱺⾨•- google play store Operandi.es 3rd party appstore 7g@Oixlshu

9. ' Fake domain using randomized strings ☐ UPI Reward scam

   ☐ Improvised Customer Support scam ☐ simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services

10. • Improvised Phishing Campaigns ① Phishing domain creation with random

    names Previouly . . . g- Real Domain , - ✗ yz-Bankk.com - IMPROVISED xyatpsank.com/---xyzBaank.com)-Fake Domain -l__×yzBank.onlineNhhW Modus Operandi originaldomain.ee.xyzabcdk34ghkPZ.co#ne-aanegmm with xyzbank.com?----qjlmnoXPZllZXYXYZmyaphyabe " ' - - - - qjlmnoxpzllzxy.in - P€8ef→ - , ①@①xlshu

11. ' Fake domain using randomized strings UPI Reward scam ☐

    Improvised Customer Support scam ☐ Simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing 20h0 form services

12. • Improvised Phishing Campaigns ② Cashback scams / UPI scams

    %←t-Ñ--→__-_-→_-t -tˢˢˢ-→⑧↑ Improvised Modus My Operandi § §ggggggggggggg zygomorphic @⑦xlshu

13. aIIIrIIITSD TI • Creating domains using keywords - § My

    cashback . cash◦ Hers , scratchdiwali • Copying the same template • Distributing via pretext ing , µgggggggggggggggggµgn ggggggg-gggg.gg i payment will be only initiated if it is opened " on mobile device } manner } .

14. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services

15. • Improvised Phishing Campaigns Customer support scam 1- improvised Modus

    operandi phishing domain is created without using any logo & name of the targeting entity @0×1Shu

16. A How SMS - Forward works & misused by Threat

    Actors r ①@0×1Shu

17. https://github.com/EnixCoda/SMS-Forward • used an open-source apk to build the malware

    &II÷ Tt-_ TTEo- | } ⊥IIEI--TTE-gg--gg fg g I o o - Requesting " Ugg""" " """"" "°" M-ggggggg.gg

18. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services

19. Matwagresendingsmstothecommandlcontroserver gggggggggggggggg. gg B.㱻.ʳRNRRggÉhf]

20. T-kfo-ktkg.com m and !ontraserverᵗᵈk @0×1shTTD-__TT@-

21. ¥7 Timeline of the Malware campaign D M t h

    - I f f t t t f o B.ggggggggg⊥ @0×1Shu

22. ezEEEEaEEeaEz→ BqEBzBs→EETÑBFBÉ→_ µ Thorington

23. https://github.com/swagkarna/Rafel-Rat Clo nedfromanthoropen-sourceproJectgggg gg.am •s㱻:aagga•Bʰm

24. """ᵗʳ㱻^☒**±☒*" " " "" " " "" " """ &

    "" STILL -LIFES - -11vii. ⊥_€go- screenshot d- the = www.na.nmg.me, ①@Oixlshu

25. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services

26. • Improvised Phishing Campaigns Misusing Reverse Tunnel services & urlshortners

    VICTIM 1- improvised Attacker • Trycloudflare Machine 0.UA/Host.runhW---.;@-- - - - - - - - - Modus ,☒☒€⑤- - - - • ngrok ' - - - - - É Operandi Hosting Phishing website on the local machine @⑦xlshu

27. Ttlhhee Wwhhotee Piettuurree ☒ñ@D ①@0×1shu -

28. 1- ' 㱻㱻-mm!/ .

29. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐↓ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services

30. • Misuse of Cloudflare Pages 1AM Stack Platform javascript ftp.t

    tmarkup used to create Improvised example- ¥◦iᵗp¥eÉ"¥¥gressively Modus Operandi Net"ᵗY/free] Enhanced ☐BgfoBBB5§☐Img☒- E websites

31. Benefiting Faster Performance Less expensive Faqq% 5B$ Easy Development More

    Secure EEE㱺*•÷• @⑦xlshu

32. Mmcodduuss Operandi original> ¥£Ñ_÷㱺 website <target>• pages.de/ A B g÷÷÷÷:÷÷j÷÷±÷--iaÉ㱻Ñr

    Mmnxer→☒㱺E¥TI , A. €¥¥☒㱺7 uploads " cloned •yv• website victims @①xlshu

33. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐✓ JAM stack platform _ cloudflare Pages Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services @0×1Shu

34. mmissuusiinng.gl#oo$Hinngeerr$Prreevnieeww ⑤commainn F-eea #are ①@0×1Shu

35. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐↓ JAM stack platform _ cloudflare Pages Misusing Hostinger's Preview domain services Abusing Zoho form services @0×1Shu

36. A-biassing Roko ffoorrmm Service $eaamm @0×1Shu

37. Impact @⑦xlshu

38. Impact @⑦xlshu

39. 㱺 •B Inclusive AAwweerrnneessssccaammppaaiiggnnss.CI • • Pprrooaaettiiwee ☒oonniittoorriinngg Using At-

    ML Based DRP % EE • • TTrraaiinniinnggffoorrE-mmpkooyyeee.es - 11%1%9 SS ①@0×1Shu

40. Think before You click anything :) -@0×1Shu