SMiShing – Hackers Sending SMS With Fake Bank Domains to Steal Credentials & Drop Obfuscated Malicious PowerShell Scripts

Researchers discovered a new wave of mobile attack called SMiShing that uses fake bank domain in the content of the SMS and trick victims to give away their bank credentials and drop Emotet malware payload in victims’ devices.

The SMiShing attack primarily targeting the U.S resident mobiles and the sent mobile number appeared to be a local number and impersonate as a well-known bank with an account lockdown alert.

When we look at the landing domain (shabon[.]co) after clicking the link in the SMS, it was a well known malicious domain that distributes Emotet as of February 2020 and, it was used by Emotet malware as a downloader.

Emotet malware was first discovered in the year 2014 as a simple banking trojan aimed to steal sensitive data from a victim’s computer and APT 42 threat groups believed to be operating this malware.

Attack Stage

Once the victims click and open the domain, visually they could see a customized phishing page that mimics the bank login page that steals the victim’s login credentials.

According to IBM X force research “The domain features the bank’s name with a different top-level domain (TLD) and is likely designed to grab the victim’s credentials as a first step and then have them download a document file loaded with malicious macros.”

When reversing the document file, researchers found some of the obfuscated malicious PowerShell scripts that lead to finding additional Emotet-serving domains.

This is one of the old tricks that often used by malware families such as trickbot to evade the detection and Emotet is one of the ways TrickBot payloads are dropped to infected systems.

Emotet’s operator called a Mealybug gang has been pushing its activity through various channels, including spam, sextortion emails, SMiShing and ploys like fake Coronavirus warnings.

Follow in Twitter for Daily cyber security & hacking news updates: Cyber Security News

Leave a Reply