Asia’s SMS stealers: 1,000 bots and one study


Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which Positive Technologies researchers recently discovered and set out to study.

While researching bots on Telegram, Positive Technologies team found that many are from Indonesia. The researchers were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so they decided to get to the bottom of this “Indonesian tsunami.” In doing so, Positive Technologies found a couple chat-related SMS stealers from Indonesia. The researchers named them SMS Webpro and NotifySmsStealer because of the string stealers in the body. Sporadic attacks against Bangladesh and India were also detected.

Read more…
Source: Positive Technologies


Sign up for our Newsletter


Related:

  • Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

    May 27, 2024

    Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult. This shared interest results in malicious internet traffic blending financial and espionage motives. A prominent example of this includes a cybercriminal ...

  • Springtail: New Linux Backdoor Added to Toolkit

    May 16, 2024

    Symantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean Springtail espionage group (aka Kimsuky) that is linked to malware used in a recent campaign against organizations in South Korea. The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign ...

  • Tracking the Progression of Earth Hundun’s Cyberespionage Campaign in 2024

    May 16, 2024

    In their previous report, Trend Micro researchers introduced the sophisticated cyberespionage campaign orchestrated by Earth Hundun, a threat actor known for targeting the Asia-Pacific region using the Waterbear malware and its latest iteration, Deuterbear. We first observed Deuterbear being used by Earth Hundun in October 2022, and it has since been part of the group’s ...

  • Germany recalls envoy to Russia over cyberattack

    May 6, 2024

    The German ambassador to Russia was recalled for consultations on Monday after Berlin accused Moscow of carrying out cyberattacks. A newly concluded government investigation found the cyberattack had been carried out by a group — linked to Moscow’s GRU military intelligence agency — known as APT28. The group, also known as Fancy Bear, has been accused ...

  • Governments issue alerts after ‘sophisticated’ state-backed actor found exploiting flaws in Cisco security boxes

    April 25, 2024

    A previously unknown and “sophisticated” nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments. A Cisco spokesperson declined to comment on which country the snooping crew – tracked as ...

  • Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

    April 22, 2024

    Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as ...