Wednesday, November 20, 2024
HomeCyber AttackHackers Use SMS Alerts to Install SpyNote Malware

Hackers Use SMS Alerts to Install SpyNote Malware

Published on

Reports indicate that a Smishing campaign was conducted against Japanese Android users under the name of a Japanese Power and Water Infrastructure company. The SMS contains a link to lure victims into a phishing site.

Once the victims click on the link, mobile malware is downloaded, which was discovered to be the SpyNote malware.

The SMS alerts the users about payment problems in the water or power infrastructure to create a sense of urgency and push them to act swiftly.

- Advertisement - SIEM as a Service

Smishing Campaign

The smishing campaigns have a different context for users, including suspension of power transmission due to non-payment and suspension notice of water supply due to non-payment.

Suspension notice of Power Transmission (Source: twiiter.com/@Tobilasystems)
Suspension of Water Supply (Source: twiiter.com/@Tobilasystems)

Victims who visit these malicious URLs are prompted to install the SpyNote malware.

SpyNote Malware

The source code of SpyNote was leaked in October 2022, after which it spread wide across cybercriminals and is being used for malicious purposes. SpyNote is capable of exploiting accessibility services and device administrator privileges.

It can also steal device location, contacts, SMS messages, and phone calls. Once the malware is installed, it appears with a legitimate app icon to look real.

When the victims open the application, it prompts them to enable the Accessibility feature.

If the victim grants permission, the application disables battery optimization, which allows it to run in the background, and also grants unknown source installation permission for installing another malware without the user’s knowledge or consent, read the McAfee blog post.

This malware was previously found to be attacking the Bank of Japan in April, in which the malware was distributed in a different method.

Threat actors keep up-to-date information about companies with legitimate reasons to contact their customers.

Indicators of Compromise

Command and Control Server

  • 104.233[.]210.35:27772

Malware Samples

SHA256 Hash 
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954 
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f 
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734 
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d 
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6 
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2 
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6 
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c 
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422 
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d 
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85 
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba 
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b 
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422 
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1 
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b 
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e 

Smishing is one of the social engineering attacks used by threat actors to attack individuals who use SMS for communication. Users of mobile devices are recommended to keep an eye out for these kinds of Smishing campaigns and be vigilant.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

CISA Warns Kemp LoadMaster OS Command Injection Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent security advisory warning organizations...

Phobos Ransomware Admin as Part of International Hacking Operation

The U.S. Department of Justice unsealed criminal charges today against Evgenii Ptitsyn, a 42-year-old Russian...

Maxar Space Data Leak, Threat Actors Gain Unauthorized Access to the System

Maxar Space Systems, a leader in space technology and Earth intelligence solutions, has recently...

Apache Kafka Vulnerability Let Attackers Escalate Privileges

A newly identified vulnerability tracked as CVE-2024-31141, has been discovered in Apache Kafka Clients that could allow...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns Kemp LoadMaster OS Command Injection Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent security advisory warning organizations...

Phobos Ransomware Admin as Part of International Hacking Operation

The U.S. Department of Justice unsealed criminal charges today against Evgenii Ptitsyn, a 42-year-old Russian...

Maxar Space Data Leak, Threat Actors Gain Unauthorized Access to the System

Maxar Space Systems, a leader in space technology and Earth intelligence solutions, has recently...