A malicious Python script known as SNS sender it is advertised as a way to allow threat actors to send bulk smishing messages by abusing the Amazon Web Services (AWS) Simple Notification Service (SNS).
Phishing SMS messages are designed to propagate malicious links designed to capture victims’ personally identifiable information (PII) and payment card details, SentinelOne said in a new report, attributing it to a threat actor named ARDUINO_DAS.
“Smishing scams often take the form of a message from the United States Postal Service (USPS) regarding a non-delivery of a package,” said security researcher Alex Delamotte.
SNS Sender is also the first observed tool out there that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said it has identified links between ARDUINO_DAS and over 150 phishing kits offered for sale.
The malware requests a list of phishing links stored in a file called links.txt in your working directory, as well as a list of AWS access keys, the phone numbers to target, the sender ID (also known as the display name) and the contents of the message.
The mandatory inclusion of the Sender ID for sending scam messages is noteworthy because support for Sender IDs varies from country to country. This suggests that the author of SNS Sender is likely from a country where Sender ID is a conventional practice.
“For example, carriers in the United States do not support Sender IDs at all, but carriers in India require senders to use Sender IDs,” Amazon says in its documentation.
There is evidence to suggest this operation could be active from at least July 2022, thanks to bank records containing references to ARDUINO_DAS that have been shared on carding forums such as Crax Pro.
The vast majority of phishing kits are USPS-themed, with campaigns directing users to fake package tracking pages that prompt users to enter their personal and credit/debit card information, as highlighted by the researcher security expert @JCyberSec_ on X (formerly Twitter) in early September 2022.
“Do you think the actor who distributed it knows that all the kits have a hidden backdoor that sends the logs to another place?”, the researcher further added. noticed.
If anything, the development represents commodity threat actors’ continued attempts to exploit cloud environments for smishing campaigns. In April 2023, Permiso disclosed a cluster of activities that leveraged previously exposed AWS access keys to infiltrate AWS servers and send SMS messages using SNS.
The findings also follow the discovery of a new dropper codenamed TicTacToe that is likely sold as a service to threat actors and has been observed to be used to propagate a wide variety of information stealers and remote access trojans (RATs) that are targeting Windows users during 2023.
Fortinet FortiGuard Labs, which shed light on the malware, said it is distributed via a four-step infection chain that begins with an ISO file embedded in email messages.
Another notable example of how threat actors continually innovate their tactics involves the use of ad networks to mount effective spam campaigns and distribute malware like DarkGate.
“The threat actor routed links through an advertising network to evade detection and gain analytics about their victims,” HP Wolf Security said. “The campaigns were launched via malicious PDF attachments that presented themselves as OneDrive error messages, leading to the malware.”
The PC maker’s Infosec division also highlighted the misuse of legitimate platforms like Discord to organize and distribute malware, a trend that has become increasingly common in recent years, prompting the company to move to temporary file links by the end of last year.
“Discord is known for its robust and reliable infrastructure and is widely recognized,” said Intel 471. “Organizations often enable Discord, meaning links and connections to it are not limited. This makes its popularity among threat actors not surprising, given its reputation and widespread use.”