Categories: MalwarePhishing

SMiShing – Hackers Sending SMS With Fake Bank Domains to Steal Credentials & Drop Obfuscated Malicious PowerShell Scripts

Researchers discovered a new wave of mobile attack called SMiShing that uses fake bank domain in the content of the SMS and trick victims to give away their bank credentials and drop Emotet malware payload in victims’ devices.

The SMiShing attack primarily targeting the U.S resident mobiles and the sent mobile number appeared to be a local number and impersonate as a well-known bank with an account lockdown alert.

When we look at the landing domain (shabon[.]co) after clicking the link in the SMS, it was a well known malicious domain that distributes Emotet as of February 2020 and, it was used by Emotet malware as a downloader.

Emotet malware was first discovered in the year 2014 as a simple banking trojan aimed to steal sensitive data from a victim’s computer and APT 42 threat groups believed to be operating this malware.

Attack Stage

Once the victims click and open the domain, visually they could see a customized phishing page that mimics the bank login page that steals the victim’s login credentials.

According to IBM X force research “The domain features the bank’s name with a different top-level domain (TLD) and is likely designed to grab the victim’s credentials as a first step and then have them download a document file loaded with malicious macros.”

When reversing the document file, researchers found some of the obfuscated malicious PowerShell scripts that lead to finding additional Emotet-serving domains.

This is one of the old tricks that often used by malware families such as trickbot to evade the detection and Emotet is one of the ways TrickBot payloads are dropped to infected systems.

Emotet’s operator called a Mealybug gang has been pushing its activity through various channels, including spam, sextortion emails, SMiShing and ploys like fake Coronavirus warnings.

Follow in Twitter for Daily cyber security & hacking news updates: Cyber Security News

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

2 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

3 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

7 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

7 hours ago

2 Chrome Zero-Days Exploited At Pwn2Own 2024 : Patch Now

Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that…

8 hours ago

Source Code of Italian anti-piracy Platform Privacy Shield Leaked on GitHub

The source code and documentation of the Italian anti-piracy platform Privacy Shield have reportedly been…

10 hours ago