Campaigns
SMS Stealer Unmasked: A Global Cyber Threat Infecting 113 Countries

SMS Stealer Unmasked: A Global Cyber Threat Infecting 113 Countries

SMS StealerAndroid MalwareMobile SecurityOTP TheftTwo-Factor Authentication (2FA)
One-time passwords (OTPs) represent a pivotal enhancement to the security of online accounts, with numerous enterprises depending on them to protect sensitive information and applications. Despite their intended protective role, OTPs are highly sought after by cybercriminals. A global SMS Stealer campaign has emerged, employing sophisticated mobile malware to exfiltrate OTPs and infiltrate corporate networks, utilizing thousands of Telegram bots to compromise Android devices.

Indicators of Compromise

badeskot.com
s.dt6remosa.org
2fgithub.com
s.ht7joxar.org
2.proxicoin.org
giga4.campriority.org
s.pingsafe.org
tg3.proxicoin.org
s.6srvfcm.com
fastsms.su
s.greendeff.org
s.jr2mutef.org
s.vi6jolifd.org
s.sh2gote.org
s.grobrothers.org

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

1. Persistence (T1624.001 - Event Triggered Execution: Broadcast Receivers)

  • Remediation:

    • Conduct thorough reviews of all applications to identify any unauthorized broadcast receivers.

    • Establish application whitelisting to manage which applications can execute on the system.

    • Educate users on the dangers of installing untrusted applications, particularly those that ask for SMS permissions.

2. Defense Evasion (T1406.002 - Obfuscated Files or Information: Software Packing)

  • Remediation:

    • Utilize static and dynamic analysis tools to uncover obfuscation methods in software.

    • Implement antivirus and antimalware solutions designed to detect packed and obfuscated malware.

    • Regularly update detection signatures to enhance the identification of known packing methods.

3. Collection (T1517 - Access Notifications)

  • Remediation:

    • Restrict access to sensitive notifications and permissions, such as SMS access, to only essential apps.

    • Regularly audit application permissions to confirm they are necessary and appropriate.

    • Monitor application behavior for unauthorized attempts to access notifications or sensitive data.

4. Collection (T1636.004 - Protected User Data: SMS Messages)

  • Remediation:

    • Implement security measures that limit app access to SMS data.

    • Educate users about the significance of not sharing SMS OTPs and recognizing potential phishing attempts.

    • Use mobile device management (MDM) solutions to enforce policies regarding access to sensitive information.

5. Command and Control (T1481.003 - Web Service: One-Way Communication)

  • Remediation:

    • Monitor network traffic for unusual outbound connections, especially to untrusted or unfamiliar domains.

    • Employ intrusion detection/prevention systems (IDS/IPS) to spot and block malicious communication attempts.

    • Use endpoint protection solutions to detect and mitigate unauthorized data exfiltration.

6. Exfiltration (T1646 - Exfiltration Over C2 Channel)

  • Remediation:

    • Set up network segmentation and firewalls to control outbound traffic based on application behavior.

    • Implement data loss prevention (DLP) tools to oversee and manage data leaving the network.

    • Provide regular security training to raise awareness about the risks of data exfiltration and how to identify suspicious activities.

General Recommendations

  • Regular Security Assessments: Carry out frequent security evaluations and penetration tests to identify vulnerabilities and areas for improvement.

  • User Education: Continuously train users on cybersecurity best practices, including how to recognize phishing attempts and the importance of application permissions.

  • Incident Response Plan: Maintain a solid incident response plan to swiftly address any security incidents related to these tactics and techniques.

Observed Countries15

AR (748)
BR (960)
EG (932)
IN (663)
KG (131)
KZ (152)
MA (538)
MY (586)
NP (823)
PH (793)
TH (101)
TJ (272)
TR (45)
UZ (312)
VN (867)