Apollo OTP Bot Exploiting Google Voice for MFA Bypass

Summary

Category: Malware Intelligence Type/Family: Botnet Industry: Finance & Banking Region: Global Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Apollo OTP bot advertised on the cybercrime forum.
  • Discord-based bot capable of making spoofed calls using Google Voice.
  • Captured OTP can be used to bypass 2FA and gain complete access to bank accounts.
  • Implement bot-detection technologies and algorithms.
  • Verify the legitimacy of the caller before giving away vital information.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum advertising the Apollo OTP Bot.
  • The bot service started operations on Telegram in March 2022 and has gained a large following among cybercriminals.
  • The bot provides the same features as the other bots on the market such as the Generaly OTP Bot. These include OTP stealing and using a legitimate infrastructure to conduct operations.
  • The bot makes use of various modules to facilitate services: targeting crypto apps, e-commerce stores, etc.
  • The actor has quoted a starting price of USD 20 per hour for the bot’s services.
The threat actor’s advertisement on the forum
The threat actor’s advertisement on the forum
 
Also read Generaly OTP Bot Setup for MFA Bypass Affecting P2P Services

Information from a Sensitive Source

A sensitive source in contact with the threat actor was able to obtain some bot samples from the actor, and has ascertained the following modus operandi:

Modus Operandi

  • The actor provides the victim’s information to the bot. In this case, the phone number is entered (using a bot command).
  • A custom script selected by the actor is used to guide the conversation. Multiple scripts are available for selection.
  • The actor will need to know the following:
    • Length of the OTP code
    • Victim’s name
    • Business name (Being used to masquerade as a legitimate business).
  • The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
  • The victim is instructed to press ‘1’ on their mobile phone.
  • Once the victim trusts the bot and enters the OTP from the SMS, it is received by the bot.
  • The OTP is successfully captured and displayed on the screen of the Discord bot.

Features of the Bot

The bot is capable of performing the following operations:
  • Number spoofing - The victim sees a ‘No Caller ID’ text instead of a phone number.
  • Using a custom bot voice (Command example - /voice en-usJennyNeural).
  • Using different accents, one of the other voice offerings from the bot operators.
  • Carrier checking (.carrier) - The bot sources and displays the following background information of the target number entered by the threat actor.
    • Telecom carrier’s name
    • Whether the number is fixed
    • Whether the number is ported
  • Conducting voice calls as any company (facilitated by Google Voice).
  • Voicemail detection - If a call made by the bot goes to voicemail, the call is disconnected.
  • International dialler
  • PGP bypass module (.call PGP) - It is used for calling the victim with a spoofed number and forwarding the call to the bot, without letting the victim know.
  • Recall module (.call recall) - To recall a number.
  • OTP Key (API Key) - Used to operate the bot. Keys are restocked and are put on sale, every time an actor requires it.
  • CVV and Pin stealing modes which pose threats to the Banking and Finance industry.
  • Targeting Google’s authorization mechanism (with command - /call mode gauth) - The bot calls the victim and requests them to enter the GAuth code which is transmitted to the attacker and used to gain access to the victim’s Google account.
  • Conducting bank transfers without any hint of suspicion to accounts.
  • Conducting purchases on e-commerce sites. Various people vouching for the bot show evidence of the same.
  • Launching attacks on the users of payment apps (such as Paypal, Venmo, Coinbase (crypto), Quadpay, etc) by taking the account and the number of the victims associated with the account as input.
  • The bot also provides the services of SMS bombers and email logs.

Pricing Structure

  • The operators of the bot make use of various cybercrime forums to promote their offering. An instance of their advertisement was observed on a clearnet marketplace.
  • The following pricing structure has been provided by the operators.
Pricing structure of the Apollo Bot
Pricing structure of the Apollo Bot

Discord Infrastructure

The operators of the bot have a dedicated Discord server for asking queries and using the bot in real-time. The Discord server has 392 members, at the time of drafting this report. The server had the following channels:
  • #vouches - a dedicated channel for users to give their reviews of the bot. The high success rate of OTP hits has been vouched by multiple customers.
  • #support - a channel used by potential customers to open tickets for raising queries. The bot’s operator (a user named ‘donkey’) addresses these queries.
  • #redeem - a channel used by threat actors to gain access to the bot after paying for the purchase plan.
  • #code-success - a channel to display the captured OTP. To prevent confusion, the bot specifies the username of the user who was operating the bot at that particular time and to whom this stolen OTP is useful.
 
Also read Improvised Modus Operandi for Targeting Indian Banking Customers via SMS Forwarding Malware

Threat Actor Activity and Rating

Threat Actor Profiling
Active since March 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Has a valid history of selling combo lists and gaming configuration services.
Point of Contact Telegram and Discord. The operators had initially used Telegram, as a medium to push daily updates about the bot. Currently, the group has 1,051 members. This group has limited activity, now that all active discussions take place on Discord.
Rating C3 (C: Fairly reliable; 3: Possibly true)

Impact and Mitigation

Impact Mitigation
  • The OTP captured by the bot can be misused to conduct withdrawals, maintain persistence, etc.
  • The bot can be used to bypass 2FA mechanisms and to gain complete access to online/bank accounts.
  • Implement bot-detection technologies and algorithms to prevent instances of automated fraud.
  • Create awareness against social engineering tactics.
  • Ask the right questions and verify the legitimacy of the individual that is calling, before giving away vital or sensitive information

References

Appendix

Advertisements of the service on other cybercrime forums - where the threat actor has a high reputation, helps to bring in more sales
Advertisements of the service on other cybercrime forums - where the threat actor has a high reputation, helps to bring in more sales
 
User feedback for the Apollo bot
User feedback for the Apollo bot
 
The #support channel for customers to open tickets or to address any queries
The #support channel for customers to open tickets or to address any queries
 
The #redeem channel is used by the threat actor to gain access to the bot, after paying for the purchase plan
The #redeem channel is used by the threat actor to gain access to the bot, after paying for the purchase plan

The #code-success channel captures and displays the OTP code which was stolen
The #code-success channel captures and displays the OTP code which was stolen
 
Point of contact for the Threat Actor
Point of contact for the Threat Actor
 
Prebuilt voices information
Prebuilt voices information
 
Instructions for the custom script usage
Instructions for the custom script usage
 
E-Commerce transaction of USD 1,700 performed using the bot’s OTP bypass function
E-Commerce transaction of USD 1,700 performed using the bot’s OTP bypass function
 
An instance where the bot detected that the call went to voicemail, instead of being attended by a real human. The call duration lasted less than 1 second
An instance where the bot detected that the call went to voicemail, instead of being attended by a real human. The call duration lasted less than 1 second
 
Apollo bot commands
Apollo bot commands
 
A screenshot of the activities conducted by the bot, during its operation
A screenshot of the activities conducted by the bot, during its operation
 
Advertising SMS bombers and email logs
Advertising SMS bombers and email logs
 

Table of Contents

Request an easy and customized demo for free