Asia’s SMS stealers: 1,000 bots and one study


Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which Positive Technologies researchers recently discovered and set out to study.

While researching bots on Telegram, Positive Technologies team found that many are from Indonesia. The researchers were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so they decided to get to the bottom of this “Indonesian tsunami.” In doing so, Positive Technologies found a couple chat-related SMS stealers from Indonesia. The researchers named them SMS Webpro and NotifySmsStealer because of the string stealers in the body. Sporadic attacks against Bangladesh and India were also detected.

Read more…
Source: Positive Technologies


Sign up for our Newsletter


Related:

  • Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst

    February 4, 2025

    ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the SSH daemon. Samples of this malware collection surfaced around mid-November 2024. While Fortinet researchers have a good amount of threat intelligence on them (e.g., they are attributed to the DaggerFly espionage group and were used during the Lunar Peek campaign against network appliances), nobody ...

  • New Star Blizzard spear-phishing campaign targets WhatsApp accounts

    January 16, 2025

    Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link. The sender address used by the threat actor ...

  • Cloud Atlas seen using a new tool in its attacks

    December 23, 2024

    Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. When opened, the document downloads a ...

  • BellaCPP: Discovering a new BellaCiao variant written in C++

    December 20, 2024

    BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor Charming Kitten. One important aspect of the BellaCiao samples ...

  • Lazarus group evolves its infection chain with old and new malware

    December 19, 2024

    Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and is also referred to as “Operation DreamJob”. Kaspersky researchers have previously published the history of ...

  • New Gmail Security Warning For 2.5 Billion – Second Attack Wave Incoming

    December 18, 2024

    As it issues a warning that a second wave of cyber threats against Gmail users is incoming from very persistent attackers, Google has detailed the specific attack methodologies involved and recommended actions that all 2.5 billion Gmail users employ to stay safe and secure. Here’s what you need to know. Although when compared to last year, ...