Apollo OTP Bot Exploiting Google Voice for MFA Bypass

Category: Malware Intelligence Type/Family: Botnet Industry: Finance & Banking Region: Global Source*: C3 Executive Summary THREAT IMPACT MITIGATION Apollo OTP bot advertised on the cybercrime forum. Discord-based bot capable of making spoofed calls using Google Voice. Captured OTP can be used to bypass 2FA and gain complete access to bank accounts. Implement bot-detection technologies and […]
Updated on
April 19, 2023
Published on
September 30, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Malware Intelligence Type/Family: Botnet Industry: Finance & Banking Region: Global Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Apollo OTP bot advertised on the cybercrime forum.
  • Discord-based bot capable of making spoofed calls using Google Voice.
  • Captured OTP can be used to bypass 2FA and gain complete access to bank accounts.
  • Implement bot-detection technologies and algorithms.
  • Verify the legitimacy of the caller before giving away vital information.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum advertising the Apollo OTP Bot.
  • The bot service started operations on Telegram in March 2022 and has gained a large following among cybercriminals.
  • The bot provides the same features as the other bots on the market such as the Generaly OTP Bot. These include OTP stealing and using a legitimate infrastructure to conduct operations.
  • The bot makes use of various modules to facilitate services: targeting crypto apps, e-commerce stores, etc.
  • The actor has quoted a starting price of USD 20 per hour for the bot’s services.
[caption id="attachment_20834" align="alignnone" width="1375"]The threat actor’s advertisement on the forum The threat actor’s advertisement on the forum[/caption]  
Also read Generaly OTP Bot Setup for MFA Bypass Affecting P2P Services

Information from a Sensitive Source

A sensitive source in contact with the threat actor was able to obtain some bot samples from the actor, and has ascertained the following modus operandi:

Modus Operandi

  • The actor provides the victim’s information to the bot. In this case, the phone number is entered (using a bot command).
  • A custom script selected by the actor is used to guide the conversation. Multiple scripts are available for selection.
  • The actor will need to know the following:
    • Length of the OTP code
    • Victim’s name
    • Business name (Being used to masquerade as a legitimate business).
  • The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
  • The victim is instructed to press ‘1’ on their mobile phone.
  • Once the victim trusts the bot and enters the OTP from the SMS, it is received by the bot.
  • The OTP is successfully captured and displayed on the screen of the Discord bot.

Features of the Bot

The bot is capable of performing the following operations:
  • Number spoofing - The victim sees a ‘No Caller ID’ text instead of a phone number.
  • Using a custom bot voice (Command example - /voice en-usJennyNeural).
  • Using different accents, one of the other voice offerings from the bot operators.
  • Carrier checking (.carrier) - The bot sources and displays the following background information of the target number entered by the threat actor.
    • Telecom carrier’s name
    • Whether the number is fixed
    • Whether the number is ported
  • Conducting voice calls as any company (facilitated by Google Voice).
  • Voicemail detection - If a call made by the bot goes to voicemail, the call is disconnected.
  • International dialler
  • PGP bypass module (.call PGP) - It is used for calling the victim with a spoofed number and forwarding the call to the bot, without letting the victim know.
  • Recall module (.call recall) - To recall a number.
  • OTP Key (API Key) - Used to operate the bot. Keys are restocked and are put on sale, every time an actor requires it.
  • CVV and Pin stealing modes which pose threats to the Banking and Finance industry.
  • Targeting Google’s authorization mechanism (with command - /call mode gauth) - The bot calls the victim and requests them to enter the GAuth code which is transmitted to the attacker and used to gain access to the victim’s Google account.
  • Conducting bank transfers without any hint of suspicion to accounts.
  • Conducting purchases on e-commerce sites. Various people vouching for the bot show evidence of the same.
  • Launching attacks on the users of payment apps (such as Paypal, Venmo, Coinbase (crypto), Quadpay, etc) by taking the account and the number of the victims associated with the account as input.
  • The bot also provides the services of SMS bombers and email logs.

Pricing Structure

  • The operators of the bot make use of various cybercrime forums to promote their offering. An instance of their advertisement was observed on a clearnet marketplace.
  • The following pricing structure has been provided by the operators.
[caption id="attachment_20835" align="alignnone" width="891"]Pricing structure of the Apollo Bot Pricing structure of the Apollo Bot[/caption]

Discord Infrastructure

The operators of the bot have a dedicated Discord server for asking queries and using the bot in real-time. The Discord server has 392 members, at the time of drafting this report. The server had the following channels:
  • #vouches - a dedicated channel for users to give their reviews of the bot. The high success rate of OTP hits has been vouched by multiple customers.
  • #support - a channel used by potential customers to open tickets for raising queries. The bot’s operator (a user named ‘donkey’) addresses these queries.
  • #redeem - a channel used by threat actors to gain access to the bot after paying for the purchase plan.
  • #code-success - a channel to display the captured OTP. To prevent confusion, the bot specifies the username of the user who was operating the bot at that particular time and to whom this stolen OTP is useful.
 
Also read Improvised Modus Operandi for Targeting Indian Banking Customers via SMS Forwarding Malware

Threat Actor Activity and Rating

Threat Actor Profiling
Active since March 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Has a valid history of selling combo lists and gaming configuration services.
Point of Contact Telegram and Discord. The operators had initially used Telegram, as a medium to push daily updates about the bot. Currently, the group has 1,051 members. This group has limited activity, now that all active discussions take place on Discord.
Rating C3 (C: Fairly reliable; 3: Possibly true)

Impact and Mitigation

Impact Mitigation
  • The OTP captured by the bot can be misused to conduct withdrawals, maintain persistence, etc.
  • The bot can be used to bypass 2FA mechanisms and to gain complete access to online/bank accounts.
  • Implement bot-detection technologies and algorithms to prevent instances of automated fraud.
  • Create awareness against social engineering tactics.
  • Ask the right questions and verify the legitimacy of the individual that is calling, before giving away vital or sensitive information

References

Appendix

[caption id="attachment_20836" align="aligncenter" width="1384"]Advertisements of the service on other cybercrime forums - where the threat actor has a high reputation, helps to bring in more sales Advertisements of the service on other cybercrime forums - where the threat actor has a high reputation, helps to bring in more sales[/caption]   [caption id="attachment_20837" align="alignnone" width="697"]User feedback for the Apollo bot User feedback for the Apollo bot[/caption]   [caption id="attachment_20838" align="alignnone" width="743"]The #support channel for customers to open tickets or to address any queries The #support channel for customers to open tickets or to address any queries[/caption]   [caption id="attachment_20839" align="alignnone" width="784"]The #redeem channel is used by the threat actor to gain access to the bot, after paying for the purchase plan The #redeem channel is used by the threat actor to gain access to the bot, after paying for the purchase plan[/caption]

[caption id="attachment_20840" align="alignnone" width="407"]The #code-success channel captures and displays the OTP code which was stolen The #code-success channel captures and displays the OTP code which was stolen[/caption]   [caption id="attachment_20841" align="alignnone" width="943"]Point of contact for the Threat Actor Point of contact for the Threat Actor[/caption]   [caption id="attachment_20842" align="alignnone" width="887"]Prebuilt voices information Prebuilt voices information[/caption]   [caption id="attachment_20843" align="alignnone" width="551"]Instructions for the custom script usage Instructions for the custom script usage[/caption]   [caption id="attachment_20844" align="alignnone" width="1044"]E-Commerce transaction of USD 1,700 performed using the bot’s OTP bypass function E-Commerce transaction of USD 1,700 performed using the bot’s OTP bypass function[/caption]   [caption id="attachment_20845" align="alignnone" width="552"]An instance where the bot detected that the call went to voicemail, instead of being attended by a real human. The call duration lasted less than 1 second An instance where the bot detected that the call went to voicemail, instead of being attended by a real human. The call duration lasted less than 1 second[/caption]   [caption id="attachment_20846" align="alignnone" width="592"]Apollo bot commands Apollo bot commands[/caption]   [caption id="attachment_20847" align="alignnone" width="295"]A screenshot of the activities conducted by the bot, during its operation A screenshot of the activities conducted by the bot, during its operation[/caption]   [caption id="attachment_20848" align="alignnone" width="435"]Advertising SMS bombers and email logs Advertising SMS bombers and email logs[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations