Threat Research

SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud

Securonix

SNS Sender is a Python-based tool that leverages AWS SNS to send bulk SMS phishing messages (smishing), leveraging compromised credentials to bypass SNS sandbox limitations. The actor behind SNS Sender, alias ARDUINO_DAS, is connected to numerous USPS-themed phishing kits targeting victims’ PII and payment card data. #ARDUINO_DAS #USPS

Keypoints

  • SNS Sender enables bulk SMS phishing using AWS SNS, a cloud-based mass messaging approach.
  • The script requires valid AWS SNS credentials from an environment not subject to the SNS sandbox restrictions.
  • The actor behind SNS Sender is associated with ARDUINO_DAS and numerous USPS-themed phishing kits.
  • The phishing campaigns commonly use a USPS missed-delivery lure to harvest PII and payment card details.
  • The tool fetches phishing links from links.txt and injects them into messages, selecting URLs at random.
  • Phishing kits linked to the actor include USPS-themed flows hosted on usps.mytrackingh.top and u-sipsl.cc, with a multi-step user data collection process.

MITRE Techniques

  • [T1059.006] Python – The SNS Sender tool is implemented as a Python script that orchestrates AWS SNS-based SMS spamming. “SNS Sender is a script that enables bulk SMS spamming using AWS SNS.”
  • [T1078] Valid Accounts – The script relies on compromised AWS credentials to access SNS, cycling through credentials/regions. “A text file containing a list of AWS access keys, secrets, and region delimited by a colon” and it “iterates through the list of AWS credentials and regions.”
  • [T1566.002] Phishing – Spearphishing Link – The SMS messages carry phishing links drawn from links.txt, with the content manipulated to include a link. “The script replaces any occurrences of the string ‘linkas’ in the message content variable with a URL from the links.txt file” and the link is selected at random.

Indicators of Compromise

  • [Hash] 8fd501d7af71afee3e692a6880284616522d709e – sns_sender.py, SNS Sender
  • [URL] phishing links – perwebsolutions[.]com/js/, usps[.]mytrackingh[.]top, and 1 other
  • [Hash] Phish Kit Archives – 01b82c779de9ef59ecd814d6131433f7b17d7eb0, 03329461d8003aece83db2c124b5c2769dd0300e, and 1 more

Read more: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint