
SMS Stealer Unmasked: A Global Cyber Threat Infecting 113 Countries
One-time passwords (OTPs) represent a pivotal enhancement to the security of online accounts, with numerous enterprises depending on them to protect sensitive information and applications. Despite their intended protective role, OTPs are highly sought after by cybercriminals. A global SMS Stealer campaign has emerged, employing sophisticated mobile malware to exfiltrate OTPs and infiltrate corporate networks, utilizing thousands of Telegram bots to compromise Android devices.
Indicators of Compromise
Domains (15)
badeskot.coms.dt6remosa.org2fgithub.coms.ht7joxar.org2.proxicoin.orggiga4.campriority.orgs.pingsafe.orgtg3.proxicoin.orgs.6srvfcm.comfastsms.sus.greendeff.orgs.jr2mutef.orgs.vi6jolifd.orgs.sh2gote.orgs.grobrothers.orgHashes (13)
f64892516079df9ad4e5672af0e8798e2c1434ec3cafea64945315a4d00560c9feecbae476fa52d61325a2dcd93b742c69f878e3718ca515d11384e9a9abc075c1ada978f3c1464c846fca3a428d19b4939379e674e7a81bcd2789123cb67e0f253f76230f19e1b096332e94cc13f8e84c9a32c2e72c608c27422c2ea9df23be4fc347f439c66138c0023692158881cc72909b02ebe57d7486cfa10d4080c3f8fc16f2d048d261a30dc8d97d8f329c7ba02ac3eb3a93bd0a016b0ff63e82a5f812ceca2bc823a7e8ac1dd43091fb911d0f33bf9b071e9430e5fc6e5c5dedc20f7a79c355e38ec61af438fe234e8f46af8d5cc661cd14b4a59ad508a53428615a479d0e4f25e10adc648c4dd302ffd147aa5c2b606f0c5424f6f6f0f4511e57536c2ecfb74d9922b41f07c684b7020e5064d6e2cff3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb71aa2c4c0aaa8dfdbbcf7418c31e27bb3ff77771fb4a92deeffc7bd2dcb21d5570993fdc17e0c1e255155fa5c0133660d5f5b12ae91d142b5617cdc4104545abIPv4 (4)
71.162.181.5136.75.75.75138.112.25.25123.181.24.36Notes
<span id="docs-internal-guid-bf43e21d-7fff-b8ae-8673-a43277b52a5f"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><br><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The widespread emergence of mobile malware, combined with the ease of data theft—particularly of SMS messages and one-time passwords (OTPs)—presents a substantial threat to both individuals and organizations. While the act of stealing SMS messages may initially appear trivial, the capacity of these malicious applications to extract sensitive data, including OTPs, highlights the urgent necessity for robust enterprise mobile security solutions. Such solutions are essential for safeguarding against malicious websites, unidentified malware, and ensuring comprehensive visibility for enterprises regarding their exposure to targeted attacks.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The credentials obtained through these malicious activities can serve as a gateway to further fraudulent endeavors, such as the creation of counterfeit accounts on well-known platforms to facilitate phishing schemes or social engineering assaults. Tackling this multifaceted issue demands a comprehensive strategy that integrates not only sophisticated detection technologies but also emphasizes user education and awareness.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">SOCRadar can play a pivotal role in this landscape by offering advanced threat intelligence and monitoring solutions that empower organizations to proactively identify and mitigate risks associated with mobile malware. By providing real-time visibility into potential threats and facilitating user training programs, SOCRadar helps enhance overall security posture, enabling organizations to better protect sensitive information from malicious actors.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><a href="https://socradar.io/modules/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Click</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> to review SOCRadar's modules to prevent attacks from this campaign and many other campaigns.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-0f63d4fa-7fff-a9c0-c1a9-48c5d997a66e"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITRE ATTACK TECHNIQUES TABLE</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><thead><tr style="height:28.5pt;"><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Tactic</span></p></th><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></th><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Name</span></p></th><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></th></tr><tr style="height:58.5pt;"><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Persistence</span></p></th><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1624/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1624.001</span></a></p></th><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Event Triggered Execution: Broadcast Receivers</span></p></th><th style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 400; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It creates a broadcast receiver to receive SMS events.</span></p></th></tr></thead><tbody><tr style="height:58.5pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1406/002"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1406.002</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Obfuscated Files or Information: Software Packing</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It is using obfuscation and packers to conceal its code.</span></p></td></tr><tr style="height:58.5pt;"><td rowspan="2" style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Collection</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1517/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1517</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Access Notifications</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(105, 105, 105); vertical-align: top; padding: 7pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It registers a receiver to monitor incoming SMS messages.</span></p></td></tr><tr style="height:58.5pt;"><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1636/004"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1636.004</span></a></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Protected User Data: SMS Messages</span></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It exfiltrates all the incoming OTP SMS messages.</span></p></td></tr><tr style="height:43.5pt;"><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Command and Control</span></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1481/003/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1481.003</span></a></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Web Service: One-Way Communication</span></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It sends all the exfiltrated info to a C&C server.</span></p></td></tr><tr style="height:43.5pt;"><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Exfiltration</span></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1646/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1646</span></a></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Exfiltration Over C2 Channel</span></p></td><td style="border-left:solid #696969 0.8333325pt;border-right:solid #696969 0.8333325pt;border-bottom:solid #696969 0.8333325pt;border-top:solid #696969 0.8333325pt;vertical-align:top;padding:7pt 7pt 7pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It is using HTTPS protocol to exfiltrate data.</span></p></td></tr></tbody></table></div></span>