Posted on Leave a comment

Iranian Users Are Being Warned About Widespread SMS Phishing Campaigns.

Several Iranian news sources and social networks have issued warnings in recent months about ongoing SMS phishing campaigns impersonating Iranian government services. The article is as old as time: victims click on a malicious link, enter their credit card information and their money is gone in a matter of hours.

Check Point researcher Shmuel Cohen wrote in a new report released Wednesday,”The malicious application not only collects the victim’s credit card numbers, but also gains access to their 2FA authentication SMS, and turns the victim’s device into a bot capable of spreading similar phishing SMS to other potential victims.”

According to the cybersecurity firm, it discovered hundreds of different phishing Android apps trying to act as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a “ready-to-use mobile campaign kit” on Telegram channels for anywhere between $50 and $150.

The infection chain of the  botnet begins with a fake notification from the Iranian judiciary urging users to review a fake complaint filed against the message’s recipients. The complaint link takes victims to what appears to be a government website, where they are asked to enter personal information (e.g., name, phone number, etc.) and download an Android APK file.

 The threat actors need to maintain several different components:

  • A web page with the right lure to distribute the mobile application and phishing pages with the same lure theme to collect credit card data.
  • The panel where the stolen data is stored.
  • Firebase domain for C&C communication.
  • Android applications with all the above defined in the code and configuration files.

One opendir exposing the structure of a specific campaign’s files and folders is enough to gain access to the data stolen from the victims of any other campaign by directly accessing URLs of other campaigns, even those that are not directly exposed  through opendir.

The files located in each campaign folder include :

  • Contacts.txt – The list of all contacts stolen from the last device added to the botnet.
  • Sms.txt – All the SMS stolen from the bot.
  • Message.oliver – The phishing message to be distributed by the bots.
  • Numbers.oliver – The list of phone numbers where the bots should send this message.
  • On.oliver – The list of all the online bots.
  • Users.oliver – The full list
  • of android_ids participating in this botnet.

Customers who choose to do so are then redirected to a false payment page that collects the credit card information entered, while the installed app acts as a covert backdoor to steal one-time passcodes sent by the credit card company and facilitate additional theft.

To make matters worse, the attackers behind the operation were discovered to have poor operational security (OPSEC), allowing any third party to freely access the phone numbers, contacts, SMS messages, and list of all online bots hosted on their servers.

Finally the researchers concluded that ,”Stealing 2FA dynamic codes allows the actors to slowly but steadily withdraw significant amounts of money from the victims’ accounts, even when each distinct operation may only garner tens of dollars,” It should come as no surprise that the number of such applications for Android and the number of people selling them is growing, given the ease with which the ‘botnet as a service’ business model has been adopted.”

Indicator Of Compromise

Panel domains:

oliverhome[.]ml

papaoliver[.]com

oliverdnssop[.]cf

eblagh-sana126[.]cf

googleadvercap[.]ml

caloprkds[.]ml

du-shaparak[.]tk

oliverhome[.]cf

sana-panelr6s[.]cf

Phishing domains:

iraeblagh[.]tk

account-tamin-ejtemai-ir[.]cf

divaar[.]xyz

myeblaghye[.]tk

shprk-melli-ir[.]cf

blaghmalet-shapark[.]tk

sana-adliran[.]site

edalatiran[.]cf

adllliran[.]ml

edalatiran[.]ga

ibligo[.]com

ekop[.]shop

eblaghonline[.]tk

taminaccount-ir[.]ml

adlliran-ir[.]ml

adleiran-ir[.]tk

adllirani[.]ml

iranadll[.]ml

Firebase C&C:

meraf-c128a.appspot[.]com

Applications:

c1ce62605f2caa31a180b7d309228d40dc3c4793 ec943116146b7479e14d4810f8a1e6005358b0d3
e7c4133a80cc591b7ae1b13d1b5f35c204167934 e3f904671342821a863da1a99fe4cd9c5d1d47c7
c4c59c075d43dff252e8920adef5b3a53c3d5ad5 236cecc10e2e8880f41f5f90a7455d28928b0189
75e792fb39936685110d867a9280e8d3848724a7 9e11fc9b0444161dac6b0fc6219848749ac47de7
dba1f2a07854aae8d449b1c75dd62a858a82a81a 23f169d43730d126a35c3a8b3d5e4dd36959926a
5398ada047884e9998929977d6e0d553cc7f8cce 6a2933aca9f3f3e4eb74b94ff693f0f55eae6a92
c44227d5519017b56f03b48fe7baeab51af6a42f fbada462f1ff1c3f94a71d1ea8b035c8d0eb0535
8bf26ae8df15c00bef353e8ff42e0efca728644d a26aa548ca20587acf5e1214fff5b0488e3804b3
2fb3142e380744df555a455f4ed4acd7f7480047 3f420f9972335be58c793854782c64d35d842ac5
740d1e5d90163ddfe31bb6322b6c3ee1b66ec3d4 8aabe2dc0050988252d89fe706ab753c2aa4f7c3
cf42932372d77255bb855ff644aeba19220efd67 539da81e0d4e05da538fdacb3a39a31de2068bbc
8bc921bc19f821e1c72f9dec3ac17efb2313d437 a94d7a3b61b23c45269ac704f6438a60af0da50a
63fcedad2a71ca04f16e1cffa25f5088aa3ec982 d2d165eb8bfe6865f42c8bf7ebb17808ba0ab2e1
1b981194a136de152be073a1e24e04aaaa0edb8f 636e048cb23411f9e92a3ffa667b9c41b3576dd9
a86bab952751fdb7ac218aa6c6404c2ddae5d3c6 14f043cbde465a33647c6333caaf6594014052e1
b917cdc733a947f1413c012f190325266597351a 49f53101ace333666b4264e2afd8a34485c498f4
5b8b6c899afda69b127776a0f87844f10c940033 c75d5a0404a5bf6476a22d7d60dd45d426d59ca5
280b78b576463b0100424260b98b74f71bf29919 b1db046e462725d26892413c3583f0512d2cab80
cb2bb4c463b8e8a3f4201036fb167fa3dc8dd385 bcdf01b4eff9a610ead51e3f6f6959d3040ad2f9
4e7b52e1a47702b2887543b5974802cbad6cb009

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply