AWS滥用：恶意'SNS Sender'脚本用于大规模Smishing攻击

A malicious Python script known as SNS Sender is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service (SNS).

一种恶意的Python脚本被称为SNS Sender，它被宣传为威胁行为者利用亚马逊网络服务（AWS）简单通知服务（SNS）发送大量短信欺诈信息的方式。

The SMS phishing messages are designed to propagate malicious links that are designed to capture victims' personally identifiable information (PII) and payment card details, SentinelOne said in a new report, attributing it to a threat actor named ARDUINO_DAS.

SentinelOne在一份新报告中表示，这些短信钓鱼信息旨在传播恶意链接，用于窃取受害者的个人身份信息（PII）和付款卡详细信息，并将其归因于威胁行为者ARDUINO_DAS。

"The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," security researcher Alex Delamotte said.

“这些短信欺诈经常伪装成来自美国邮政服务（USPS）关于未投递包裹的消息，”安全研究员Alex Delamotte说。

SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale.

SNS Sender也是第一个利用AWS SNS进行短信垃圾邮件攻击的工具。SentinelOne表示，它发现了ARDUINO_DAS与150多个出售的网络钓鱼工具包之间的联系。

The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition to a list of AWS access keys, the phone numbers to target, the sender ID (aka display name), and the content of the message.

该恶意软件需要一个名为links.txt的文件中存储的网络钓鱼链接列表，以及一组AWS访问密钥、目标电话号码、发送方ID（也称为显示名称）和消息内容。

The mandatory inclusion of sender ID for sending the scam texts is noteworthy because support for sender IDs varies from country to country. This suggests that the author of SNS Sender is likely from a country where the sender ID is a conventional practice.

发送欺诈短信时强制包含发送方ID是值得注意的，因为不同国家对发送方ID的支持程度不同。亚马逊在其文档中表示：“例如，美国的运营商根本不支持发送方ID，而印度的运营商要求发送者使用发送方ID。”

"For example, carriers in the United States don't support sender IDs at all, but carriers in India require senders to use sender IDs," Amazon says in its documentation.

There is evidence to suggest that this operation may have been active since at least July 2022, going by bank logs containing references to ARDUINO_DAS that have been shared on carding forums like Crax Pro.

有证据表明，这个操作至少从2022年7月开始活动，根据包含ARDUINO_DAS引用的银行日志，这些日志在类似Crax Pro的卡盗论坛上被分享。

A vast majority of the phishing kits are USPS-themed, with the campaigns directing users to bogus package tracking pages that prompt users to enter their personal and credit/debit card information, as evidenced by security researcher @JCyberSec_ on X (formerly Twitter) in early September 2022.

绝大多数网络钓鱼工具包都以美国邮政服务（USPS）为主题，这些活动将用户引导到虚假的包裹跟踪页面，提示用户输入个人和信用/借记卡信息，安全研究员@JCyberSec_于2022年9月初在X（前Twitter）上证实了这一点。

"Do you think the deploying actor knows all the kits have a hidden backdoor sending the logs to another place?," the researcher further noted.

“你认为部署者知道所有工具包都有一个隐藏的后门将日志发送到另一个地方吗？”研究人员进一步指出。

If anything, the development represents commodity threat actors' ongoing attempts to exploit cloud environments for smishing campaigns. In April 2023, Permiso revealed an activity cluster that took advantage of previously exposed AWS access keys to infiltrate AWS servers and send SMS messages using SNS.

从任何方面来看，这一发展代表了普通威胁行为者不断尝试利用云环境进行短信欺诈活动的努力。2023年4月，Permiso揭示了一个利用先前曝光的AWS访问密钥渗透AWS服务器并使用SNS发送短信的活动聚类。

The findings also follow the discovery of a new dropper codenamed TicTacToe that's likely sold as a service to threat actors and has been observed being used to propagate a wide variety of information stealers and remote access trojans (RATs) targeting Windows users throughout 2023.

这些发现还紧随发现了一个名为TicTacToe的新型投放器，该投放器很可能作为服务出售给威胁行为者，并且已被观察到用于传播各种窃取信息者和远程访问木马（RAT），并针对2023年的Windows用户。

Fortinet FortiGuard Labs, which shed light on the malware, said it's deployed by means of a four-stage infection chain that starts with an ISO file embedded within email messages.

Fortinet FortiGuard Labs揭示了这种恶意软件，并表示它通过一个四阶段的感染链部署，该感染链从电子邮件消息中嵌入的ISO文件开始。

Another relevant example of threat actors continuously innovating their tactics concerns the use of advertising networks to stage effective spam campaigns and deploy malware such as DarkGate.

威胁行为者不断创新他们的策略的另一个相关例子是利用广告网络进行有效的垃圾邮件活动和部署恶意软件，例如DarkGate。

"The threat actor proxied links through an advertising network to evade detection and capture analytics about their victims," HP Wolf Security said. "The campaigns were initiated through malicious PDF attachments posing as OneDrive error messages, leading to the malware."

“威胁行为者通过广告网络代理链接以逃避检测并捕获有关受害者的分析数据，”HP Wolf Security表示。“这些活动通过冒充OneDrive错误消息的恶意PDF附件发起，导致恶意软件的传播。”

The infosec arm of the PC maker also highlighted the misuse of legitimate platforms like Discord to stage and distribute malware, a trend that has become increasingly common in recent years, prompting the company to switch to temporary file links by the end of last year.

这家电脑制造商的信息安全部门还强调了滥用合法平台如Discord进行恶意软件的部署和传播，这是近年来变得越来越常见的趋势，促使该公司在去年底改为使用临时文件链接。

"Discord is known for its robust and reliable infrastructure, and it is widely trusted," Intel 471 said. "Organizations often allowlist Discord, meaning that links and connections to it are not restricted. This makes its popularity among threat actors unsurprising given its reputation and widespread use."

“Discord以其强大可靠的基础设施而闻名，并且被广泛信任，”Intel 471表示。“组织通常将Discord列入白名单，这意味着对其的链接和连接没有限制。考虑到其声誉和广泛使用，威胁行为者对其的流行并不令人意外。”

原文始发于微信公众号（知机安全）：AWS滥用：恶意'SNS Sender'脚本用于大规模Smishing攻击