|Category: Malware Intelligence||Type/Family: Botnet||Industry: Finance & Banking||Region: Global||Source*: C3|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum advertising the Apollo OTP Bot.
- The bot service started operations on Telegram in March 2022 and has gained a large following among cybercriminals.
- The bot provides the same features as the other bots on the market such as the Generaly OTP Bot. These include OTP stealing and using a legitimate infrastructure to conduct operations.
- The bot makes use of various modules to facilitate services: targeting crypto apps, e-commerce stores, etc.
- The actor has quoted a starting price of USD 20 per hour for the bot’s services.
- The actor provides the victim’s information to the bot. In this case, the phone number is entered (using a bot command).
- A custom script selected by the actor is used to guide the conversation. Multiple scripts are available for selection.
- The actor will need to know the following:
- Length of the OTP code
- Victim’s name
- Business name (Being used to masquerade as a legitimate business).
- The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
- The victim is instructed to press ‘1’ on their mobile phone.
- Once the victim trusts the bot and enters the OTP from the SMS, it is received by the bot.
- The OTP is successfully captured and displayed on the screen of the Discord bot.
- Number spoofing - The victim sees a ‘No Caller ID’ text instead of a phone number.
- Using a custom bot voice (Command example - /voice en-usJennyNeural).
- Using different accents, one of the other voice offerings from the bot operators.
- Carrier checking (.carrier) - The bot sources and displays the following background information of the target number entered by the threat actor.
- Telecom carrier’s name
- Whether the number is fixed
- Whether the number is ported
- Conducting voice calls as any company (facilitated by Google Voice).
- Voicemail detection - If a call made by the bot goes to voicemail, the call is disconnected.
- International dialler
- PGP bypass module (.call PGP) - It is used for calling the victim with a spoofed number and forwarding the call to the bot, without letting the victim know.
- Recall module (.call recall) - To recall a number.
- OTP Key (API Key) - Used to operate the bot. Keys are restocked and are put on sale, every time an actor requires it.
- CVV and Pin stealing modes which pose threats to the Banking and Finance industry.
- Targeting Google’s authorization mechanism (with command - /call mode gauth) - The bot calls the victim and requests them to enter the GAuth code which is transmitted to the attacker and used to gain access to the victim’s Google account.
- Conducting bank transfers without any hint of suspicion to accounts.
- Conducting purchases on e-commerce sites. Various people vouching for the bot show evidence of the same.
- Launching attacks on the users of payment apps (such as Paypal, Venmo, Coinbase (crypto), Quadpay, etc) by taking the account and the number of the victims associated with the account as input.
- The bot also provides the services of SMS bombers and email logs.
- The operators of the bot make use of various cybercrime forums to promote their offering. An instance of their advertisement was observed on a clearnet marketplace.
- The following pricing structure has been provided by the operators.
- #vouches - a dedicated channel for users to give their reviews of the bot. The high success rate of OTP hits has been vouched by multiple customers.
- #support - a channel used by potential customers to open tickets for raising queries. The bot’s operator (a user named ‘donkey’) addresses these queries.
- #redeem - a channel used by threat actors to gain access to the bot after paying for the purchase plan.
- #code-success - a channel to display the captured OTP. To prevent confusion, the bot specifies the username of the user who was operating the bot at that particular time and to whom this stolen OTP is useful.
Also read Improvised Modus Operandi for Targeting Indian Banking Customers via SMS Forwarding Malware
|Threat Actor Profiling|
|Active since||March 2022|
|Reputation||Low (Multiple complaints and concerns on the forum)|
|History||Has a valid history of selling combo lists and gaming configuration services.|
|Point of Contact||Telegram and Discord. The operators had initially used Telegram, as a medium to push daily updates about the bot. Currently, the group has 1,051 members. This group has limited activity, now that all active discussions take place on Discord.|
|Rating||C3 (C: Fairly reliable; 3: Possibly true)|