Malicious ‘SNS Sender’ script abuses AWS for bulk smishing attacks

Bulk Smishing Attacks

A malicious Python script known as SNS sender is advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service (SNS).

The SMS phishing messages are designed to distribute malicious links designed to capture victims’ personally identifiable information (PII) and payment card details, SentinelOne said in a new report, attributing it to a threat actor called ARDUINO_DAS.

“The smishing scam often takes the form of a message from the United States Postal Service (USPS) about a missed package delivery,” says security researcher Alex Delamotte.

SNS Sender is also the first tool observed in the wild that uses AWS SNS to conduct SMS spamming attacks. SentinelOne said it has identified links between ARDUINO_DAS and more than 150 phishing kits for sale.

The malware requires a list of phishing links stored in a file called links.txt in the working directory, in addition to a list of AWS access keys, the phone numbers to target, the sender ID (also called display name), and the content of the message.

The mandatory inclusion of a sender ID for sending the scam texts is notable because support for sender IDs varies from country to country. This suggests that the author of SNS Sender is likely from a country where sender ID is a conventional practice.

“For example, carriers in the United States do not support shipper IDs at all, but carriers in India require senders to use shipper IDs,” Amazon says in its documentation.

There are indications that this operation may have been active since July 2022, according to bank logs with references to ARDUINO_DAS shared on card forums such as Crax Pro.

A large majority of phishing kits are USPS-themed and send users to fake pages asking users to enter their personal information and credit/debit card information, as revealed by security researcher @JCyberSec_ on X (formerly Twitter) in early September 2022 .

“Do you think the deploying actor knows that all kits have a hidden backdoor that sends the logs to another place?” the researcher continues. noted.

If nothing else, the development represents ongoing attempts by commodity threat actors to exploit cloud environments for smishing campaigns. In April 2023, Permiso revealed an attack campaign that leveraged previously exposed AWS access keys to infiltrate AWS servers and send text messages via SNS.

The findings also follow the discovery of a new dropper codenamed TicTacToe that is likely sold as a service to threat actors and has been observed to be used to spread a wide range of information stealers and remote access trojans (RATs). that will target Windows users in 2023.

Fortinet FortiGuard Labs, which shed light on the malwaresaid it is deployed through a four-stage infection chain that starts with an ISO file embedded in email messages.

Another relevant example of threat actors continually innovating their tactics involves using ad networks to create effective spam campaigns and deploy malware such as DarkGate.

“The threat actor connected to an advertising network via a proxy connection to evade detection and capture analytics about its victims,” says HP Wolf Security said. “The campaigns were initiated via malicious PDF attachments masquerading as OneDrive error messages, leading to the malware.”

The PC maker’s infosec department also highlighted the misuse of legitimate platforms like Discord to organize and spread malware, a trend that has become increasingly common in recent years, prompting the company to switch to temporary file links.

“Discord is known for its robust and reliable infrastructure, and is widely trusted,” said Intel 471 said. “Organizations often allow Discord, meaning links and connections to it are not restricted. This makes its popularity among threat actors unsurprising given its reputation and widespread use.”

#Malicious #SNS #Sender #script #abuses #AWS #bulk #smishing #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
Cryptocurrency Firms

RustDoor macOS Backdoor targets cryptocurrency companies with fake job postings

Next Post
Network Breached

US state government network hacked through former employee’s account

Related Posts