$30 off During Our Annual Pro Sale. View Details »

Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

Anshuman
August 27, 2022

Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

On 27th August 2022, at Null Bengalore Chapter, I have presented about various TTPs and Modus Operanies are being used by Threat Actors to target the customers of BFSI Sector.

More About the Talk.

Anshuman

August 27, 2022
Tweet

More Decks by Anshuman

Other Decks in Research

Transcript

  1. Threat Actors are targeting ;;÷÷÷:÷:±÷:÷:÷÷ ÷±*÷ ÷÷:÷÷:÷ ' u¥n↑"¥m%¥;;¥ii;;↑;NhJi i¥¥¥¥

    • % in i ! -00 ɱ¥÷÷:÷÷÷÷ ÷ . .㱻÷÷÷É*㱻.÷¥ . . - ¥÷÷÷÷÷÷÷÷:÷÷¥㱺 ± " ¥n$hhµmmaann$•*1$k•§
  2. 🏍 AAbboouuttllee.EE Anshuman (a.k.a @ ⑦xlshu ) ☒iE • Cyber

    Threat Researcher @ - Co - Author @ securityZines - BOBB ? T.EE? @⑦xlshu
  3. A-ggeennddaa •o Generic modus operandies • Improvised modus operandies .

    • Solutions ? MtW•±mp+±Bog§ ⑦@①xlshu
  4. so Generic Modus Operandies so Improvised Modus Operandies A. '@0×1shu

  5. • scam through Phishing Domains [Traditional] Real Domain , _

    - ✗ YZBankk.com GENETIC xykbank.com - - - xyz-Baank.com ]→Fake Domain \ _ - Xyz Bank . online - - i termed as Modus •☒ Host the same content " Typosquatting" Operandi.es • credential Harvesting • sensitive data ①@①xlshu
  6. • Using wishing smishing techniques your card has been blocked

    . To activate § bankk.com/ uploads -- - - Generic ¥÷:÷÷:÷÷÷÷㱺±÷÷ . . . .☒1÷i⑧㱺i÷÷¥I + ¥⑨amqzEB→g OR Modus - _ Operandi.es / Calling from fake / customer care number . . . misused VR [Interactive Voice Response ] system @⑦xlshu
  7. Examples . . . He@①xlshu

  8. • Fake/Malicious app in 3rd party appstore ¥É÷☒* - -

    - - - → _i☐¥Éi☒*- - - - - controlled by Generic Cloned Fake Original Application app, ; cation _÷_q¥☒ Threat Actor I : Modus ¥㱺⾨•- google play store Operandi.es 3rd party appstore 7g@Oixlshu
  9. ' Fake domain using randomized strings ☐ UPI Reward scam

    ☐ Improvised Customer Support scam ☐ simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  10. • Improvised Phishing Campaigns ① Phishing domain creation with random

    names Previouly . . . g- Real Domain , - ✗ yz-Bankk.com - IMPROVISED xyatpsank.com/---xyzBaank.com)-Fake Domain -l__×yzBank.onlineNhhW Modus Operandi originaldomain.ee.xyzabcdk34ghkPZ.co#ne-aanegmm with xyzbank.com?----qjlmnoXPZllZXYXYZmyaphyabe " ' - - - - qjlmnoxpzllzxy.in - P€8ef→ - , ①@①xlshu
  11. ' Fake domain using randomized strings UPI Reward scam ☐

    Improvised Customer Support scam ☐ Simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing 20h0 form services
  12. • Improvised Phishing Campaigns ② Cashback scams / UPI scams

    %←t-Ñ--→__-_-→_-t -tˢˢˢ-→⑧↑ Improvised Modus My Operandi § §ggggggggggggg zygomorphic @⑦xlshu
  13. aIIIrIIITSD TI • Creating domains using keywords - § My

    cashback . cash◦ Hers , scratchdiwali • Copying the same template • Distributing via pretext ing , µgggggggggggggggggµgn ggggggg-gggg.gg i payment will be only initiated if it is opened " on mobile device } manner } .
  14. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  15. • Improvised Phishing Campaigns Customer support scam 1- improvised Modus

    operandi phishing domain is created without using any logo & name of the targeting entity @0×1Shu
  16. A How SMS - Forward works & misused by Threat

    Actors r ①@0×1Shu
  17. https://github.com/EnixCoda/SMS-Forward • used an open-source apk to build the malware

    &II÷ Tt-_ TTEo- | } ⊥IIEI--TTE-gg--gg fg g I o o - Requesting " Ugg""" " """"" "°" M-ggggggg.gg
  18. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  19. Matwagresendingsmstothecommandlcontroserver gggggggggggggggg. gg B.㱻.ʳRNRRggÉhf]

  20. T-kfo-ktkg.com m and !ontraserverᵗᵈk @0×1shTTD-__TT@-

  21. ¥7 Timeline of the Malware campaign D M t h

    - I f f t t t f o B.ggggggggg⊥ @0×1Shu
  22. ezEEEEaEEeaEz→ BqEBzBs→EETÑBFBÉ→_ µ Thorington

  23. https://github.com/swagkarna/Rafel-Rat Clo nedfromanthoropen-sourceproJectgggg gg.am •s㱻:aagga•Bʰm

  24. """ᵗʳ㱻^☒**±☒*" " " "" " " "" " """ &

    "" STILL -LIFES - -11vii. ⊥_€go- screenshot d- the = www.na.nmg.me, ①@Oixlshu
  25. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  26. • Improvised Phishing Campaigns Misusing Reverse Tunnel services & urlshortners

    VICTIM 1- improvised Attacker • Trycloudflare Machine 0.UA/Host.runhW---.;@-- - - - - - - - - Modus ,☒☒€⑤- - - - • ngrok ' - - - - - É Operandi Hosting Phishing website on the local machine @⑦xlshu
  27. Ttlhhee Wwhhotee Piettuurree ☒ñ@D ①@0×1shu -

  28. 1- ' 㱻㱻-mm!/ .

  29. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐↓ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  30. • Misuse of Cloudflare Pages 1AM Stack Platform javascript ftp.t

    tmarkup used to create Improvised example- ¥◦iᵗp¥eÉ"¥¥gressively Modus Operandi Net"ᵗY/free] Enhanced ☐BgfoBBB5§☐Img☒- E websites
  31. Benefiting Faster Performance Less expensive Faqq% 5B$ Easy Development More

    Secure EEE㱺*•÷• @⑦xlshu
  32. Mmcodduuss Operandi original> ¥£Ñ_÷㱺 website <target>• pages.de/ A B g÷÷÷÷:÷÷j÷÷±÷--iaÉ㱻Ñr

    Mmnxer→☒㱺E¥TI , A. €¥¥☒㱺7 uploads " cloned •yv• website victims @①xlshu
  33. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐✓ JAM stack platform _ cloudflare Pages Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services @0×1Shu
  34. mmissuusiinng.gl#oo$Hinngeerr$Prreevnieeww ⑤commainn F-eea #are ①@0×1Shu

  35. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐↓ JAM stack platform _ cloudflare Pages Misusing Hostinger's Preview domain services Abusing Zoho form services @0×1Shu
  36. A-biassing Roko ffoorrmm Service $eaamm @0×1Shu

  37. Impact @⑦xlshu

  38. Impact @⑦xlshu

  39. 㱺 •B Inclusive AAwweerrnneessssccaammppaaiiggnnss.CI • • Pprrooaaettiiwee ☒oonniittoorriinngg Using At-

    ML Based DRP % EE • • TTrraaiinniinnggffoorrE-mmpkooyyeee.es - 11%1%9 SS ①@0×1Shu
  40. Think before You click anything :) -@0×1Shu