Skip to content Skip to footer

Malicious ‘SNS Sender’ Script Abuses AWS for Bulk Smishing Attacks

A new threat has emerged as a malicious Python script called SNS Sender, which is being promoted among threat actors as a tool to send mass SMS messages using Amazon Services (AWS) Simple Notification Service (SNS). Security researchers have identified that SMS messages are designed to propagate harmful links to capture victims' personal information and payment card details. The report attributes this threat to a group of cybercriminals known as ARDUINO_DAS.

The messages are often disguised as messages from the United States Postal Service (USPS) regarding missed package deliveries, according to security researcher Alex Delamotte. SNS Sender is the first tool in the wild that leverages AWS SNS to conduct SMS spamming attacks, SentinelOne said. The security firm also identified connections between the ARDUINO_DAS group and over 150 kits for sale.

The malware requires a list of phishing links stored in a file named links.txt in its working directory. It also needs a list of AWS access keys, phone numbers to target, sender ID (also known as display name), and message content. The requirement for the sender ID to send scam texts is noteworthy because it differs from country to country. This suggests that the creator of the SNS Sender is likely from a country where the sender ID is a conventional practice. For instance, carriers in the United States do not support sender IDs. Still, carriers in India require senders to use sender IDs, as stated in Amazon's documentation.

Evidence suggests that this operation could have been active since at least July 2022, based on bank logs containing references to ARDUINO_DAS that have been shared on carding forums, such as Crax Pro. A vast majority of the phishing kits are USPS-themed, with the campaigns leading users to bogus package tracking pages that prompt them to enter their personal and credit/debit card information, as security researcher @JCyberSec_ demonstrated on X (formerly Twitter) in early September 2022.

In addition, there is a concern that the deploying actor may not be aware that all the kits contain a hidden that sends the logs to another place, according to the researcher. This development indicates commodity threat actors' ongoing attempts to cloud environments for campaigns. In April 2023, Permiso revealed an activity cluster that exploited previously exposed AWS access keys to infiltrate AWS servers and send SMS messages using SNS.

Moreover, the discovery of a new dropper codenamed TicTacToe, which is likely sold as a service to threat actors, has been observed to disseminate various information stealers and remote access trojans (RATs) targeting users throughout 2023. FortiGuard Labs, which revealed the malware, stated that it is deployed using a four-stage infection chain that starts with an ISO file embedded within email messages.

Another relevant example of threat actors continuously innovating their tactics is using advertising networks to stage effective spam campaigns and deploy malware like DarkGate. The threat actor proxied links through an advertising network to evade detection and capture analytics about the success of their campaign.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What do all men with power want? More powerThe Oracle

Deitasoft © 2024. All Rights Reserved.