Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

Anshuman
August 27, 2022

Threat Actors are targeting BFSI Sector using Improvised Modus Operandi in India

On 27th August 2022, at Null Bengalore Chapter, I have presented about various TTPs and Modus Operanies are being used by Threat Actors to target the customers of BFSI Sector.

More About the Talk.

Anshuman

August 27, 2022
Tweet

More Decks by Anshuman

Other Decks in Research

Transcript

  1. Threat Actors are targeting ;;÷÷÷:÷:±÷:÷:÷÷ ÷±*÷ ÷÷:÷÷:÷ ' u¥n↑"¥m%¥;;¥ii;;↑;NhJi i¥¥¥¥

    • % in i ! -00 ɱ¥÷÷:÷÷÷÷ ÷ . .㱻÷÷÷É*㱻.÷¥ . . - ¥÷÷÷÷÷÷÷÷:÷÷¥㱺 ± " ¥n$hhµmmaann$•*1$k•§
  2. 🏍 AAbboouuttllee.EE Anshuman (a.k.a @ ⑦xlshu ) ☒iE • Cyber

    Threat Researcher @ - Co - Author @ securityZines - BOBB ? T.EE? @⑦xlshu
  3. • scam through Phishing Domains [Traditional] Real Domain , _

    - ✗ YZBankk.com GENETIC xykbank.com - - - xyz-Baank.com ]→Fake Domain \ _ - Xyz Bank . online - - i termed as Modus •☒ Host the same content " Typosquatting" Operandi.es • credential Harvesting • sensitive data ①@①xlshu
  4. • Using wishing smishing techniques your card has been blocked

    . To activate § bankk.com/ uploads -- - - Generic ¥÷:÷÷:÷÷÷÷㱺±÷÷ . . . .☒1÷i⑧㱺i÷÷¥I + ¥⑨amqzEB→g OR Modus - _ Operandi.es / Calling from fake / customer care number . . . misused VR [Interactive Voice Response ] system @⑦xlshu
  5. • Fake/Malicious app in 3rd party appstore ¥É÷☒* - -

    - - - → _i☐¥Éi☒*- - - - - controlled by Generic Cloned Fake Original Application app, ; cation _÷_q¥☒ Threat Actor I : Modus ¥㱺⾨•- google play store Operandi.es 3rd party appstore 7g@Oixlshu
  6. ' Fake domain using randomized strings ☐ UPI Reward scam

    ☐ Improvised Customer Support scam ☐ simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  7. • Improvised Phishing Campaigns ① Phishing domain creation with random

    names Previouly . . . g- Real Domain , - ✗ yz-Bankk.com - IMPROVISED xyatpsank.com/---xyzBaank.com)-Fake Domain -l__×yzBank.onlineNhhW Modus Operandi originaldomain.ee.xyzabcdk34ghkPZ.co#ne-aanegmm with xyzbank.com?----qjlmnoXPZllZXYXYZmyaphyabe " ' - - - - qjlmnoxpzllzxy.in - P€8ef→ - , ①@①xlshu
  8. ' Fake domain using randomized strings UPI Reward scam ☐

    Improvised Customer Support scam ☐ Simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing 20h0 form services
  9. • Improvised Phishing Campaigns ② Cashback scams / UPI scams

    %←t-Ñ--→__-_-→_-t -tˢˢˢ-→⑧↑ Improvised Modus My Operandi § §ggggggggggggg zygomorphic @⑦xlshu
  10. aIIIrIIITSD TI • Creating domains using keywords - § My

    cashback . cash◦ Hers , scratchdiwali • Copying the same template • Distributing via pretext ing , µgggggggggggggggggµgn ggggggg-gggg.gg i payment will be only initiated if it is opened " on mobile device } manner } .
  11. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware ☐ Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  12. • Improvised Phishing Campaigns Customer support scam 1- improvised Modus

    operandi phishing domain is created without using any logo & name of the targeting entity @0×1Shu
  13. https://github.com/EnixCoda/SMS-Forward • used an open-source apk to build the malware

    &II÷ Tt-_ TTEo- | } ⊥IIEI--TTE-gg--gg fg g I o o - Requesting " Ugg""" " """"" "°" M-ggggggg.gg
  14. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan ☐ Misusing cloudflare's legitimate services ☒ Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  15. ¥7 Timeline of the Malware campaign D M t h

    - I f f t t t f o B.ggggggggg⊥ @0×1Shu
  16. """ᵗʳ㱻^☒**±☒*" " " "" " " "" " """ &

    "" STILL -LIFES - -11vii. ⊥_€go- screenshot d- the = www.na.nmg.me, ①@Oixlshu
  17. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  18. • Improvised Phishing Campaigns Misusing Reverse Tunnel services & urlshortners

    VICTIM 1- improvised Attacker • Trycloudflare Machine 0.UA/Host.runhW---.;@-- - - - - - - - - Modus ,☒☒€⑤- - - - • ngrok ' - - - - - É Operandi Hosting Phishing website on the local machine @⑦xlshu
  19. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐↓ JAM stack platform _ cloudflare Pages ☐ Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services
  20. • Misuse of Cloudflare Pages 1AM Stack Platform javascript ftp.t

    tmarkup used to create Improvised example- ¥◦iᵗp¥eÉ"¥¥gressively Modus Operandi Net"ᵗY/free] Enhanced ☐BgfoBBB5§☐Img☒- E websites
  21. Mmcodduuss Operandi original> ¥£Ñ_÷㱺 website <target>• pages.de/ A B g÷÷÷÷:÷÷j÷÷±÷--iaÉ㱻Ñr

    Mmnxer→☒㱺E¥TI , A. €¥¥☒㱺7 uploads " cloned •yv• website victims @①xlshu
  22. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐✓ JAM stack platform _ cloudflare Pages Misusing Hostinger's Preview domain services ☐ Abusing Zoho form services @0×1Shu
  23. ' Fake domain using randomized strings UPI Reward scam Improvised

    Customer Support scam simple SMS - Forwarder Malware Advance Banking Trojan Misusing cloudflare's legitimate services Reverse Tunnel Services _ Trycloudflare ☐↓ JAM stack platform _ cloudflare Pages Misusing Hostinger's Preview domain services Abusing Zoho form services @0×1Shu
  24. 㱺 •B Inclusive AAwweerrnneessssccaammppaaiiggnnss.CI • • Pprrooaaettiiwee ☒oonniittoorriinngg Using At-

    ML Based DRP % EE • • TTrraaiinniinnggffoorrE-mmpkooyyeee.es - 11%1%9 SS ①@0×1Shu