Threat Exchange
https://fsiceat.tistory.com/
ko
Thu, 28 Nov 2024 05:58:01 +0900
TISTORY
100
Jack2
Threat Exchange
https://tistory1.daumcdn.net/tistory/2917223/attach/c67e0cf8105d4eb5b35c148cd70b4d78
https://fsiceat.tistory.com
-
Operation Cryptoforce
https://fsiceat.tistory.com/3
<p><b><span style="font-family: "맑은 고딕", sans-serif; font-size: 10pt;">Summary</span></b></p><p><span style="font-size: 13.3333px;">Many PoS(Point-Of-Sale) were compromised in South Korea. </span><span style="font-size: 10pt;">Attackers stole card information, especially, track2 data of magnetic card. </span></p><p><span style="font-size: 10pt;">Malware hooks the specific module(ksnetadsl.dll*) and precisely extract track2 data. Attackers already knew about South Korea Card Payment Process very well.</span></p><p><span style="font-size: 10pt;"><br /></span></p><table class="txc-table" width="864" cellspacing="0" cellpadding="0" border="0" style="border:none;border-collapse:collapse;;font-family:" 맑은="" 고딕",="" sans-serif;font-size:13px"=""><tbody><tr><td style="width:864;height:24;border-bottom:1px solid #ccc;border-right:1px solid #ccc;border-top:1px solid #ccc;border-left:1px solid #ccc;;"><p style="text-align: center;">ksnetadsl.dll : <span style="font-size: 9pt;">Encrypt approval message and send it to VAN server to get confirmation from card company. </span> </p></td></tr></tbody></table><p><span style="font-family: "맑은 고딕", sans-serif; font-size: 10pt;"><br /><br /></span></p><p><span style="font-family: "맑은 고딕", sans-serif; font-size: 10pt;"><b>Incident Flow</b></span></p><p style="text-align: center; clear: none; float: none;"><span class="imageblock" style="display: inline-block; width: 900px; height: auto; max-width: 100%;"><img src="https://t1.daumcdn.net/cfile/tistory/99A6534E5B187D6F31" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F99A6534E5B187D6F31" width="900" height="397" filename="cryptoforce_incident_flow.png" filemime="image/jpeg"/></span></p><p style="text-align: center; clear: none; float: none;"><br /></p><p><span style="font-family: "맑은 고딕", sans-serif; font-size: 10pt;"><br /></span></p><p><br /></p><p><span style="font-size: 13.3333px;"><b>IoCs</b></span></p><p><span style="font-size: 13.3333px;">944439b6693b0589ae73421c0a342d8a</span></p><p><span style="font-size: 13.3333px;">203b1ceff471f8519d9df5a31243ed0d</span></p><p><span style="font-size: 13.3333px;">8c9d5a122c18fe3b233b100f3990accf</span></p><p><span style="font-size: 13.3333px;">badef8c801334aac6df6c41166791cf7</span></p><p><span style="font-size: 13.3333px;">www.webkingston[.]com (89.33.246.102) </span></p><p><span style="font-size: 13.3333px;">www.energydonate[.]com (81.95.5.179) </span></p><p><span style="font-size: 13.3333px;">online-help.serveftp[.]com (81.95.5.179)</span></p><p><span style="font-size: 13.3333px;"><br /></span></p><p><span style="font-size: 13.3333px;"><b>Yararule</b></span></p><p><span style="font-size: 13.3333px;">rule BluenoroffPoS_DLL {</span></p><p><span style="font-size: 13.3333px;"> meta:</span></p><p><span style="font-size: 13.3333px;"> description = "hkp.dll"</span></p><p><span style="font-size: 13.3333px;"> strings:</span></p><p><span style="font-size: 13.3333px;"> $dll = "ksnetadsl.dll" ascii wide fullword nocase</span></p><p><span style="font-size: 13.3333px;"> $exe = "xplatform.exe" ascii wide fullword nocase</span></p><p><span style="font-size: 13.3333px;"> $agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase </span></p><p><span style="font-size: 13.3333px;"> $log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase </span></p><p><span style="font-size: 13.3333px;"> $base_addr = "%d-BaseAddr:0x%x" ascii wide nocase</span></p><p><span style="font-size: 13.3333px;"> $func_addr = "%d-FuncAddr:0x%x" ascii wide nocase</span></p><p><span style="font-size: 13.3333px;"> $HF_S = "HF-S(%d)" ascii wide</span></p><p><span style="font-size: 13.3333px;"> $HF_T = "HF-T(%d)" ascii wide</span></p><p><span style="font-size: 13.3333px;"> condition:</span></p><p><span style="font-size: 13.3333px;"> 5 of them</span></p><p><span style="font-size: 13.3333px;">}</span></p><p><span style="font-size: 13.3333px;"><br /></span></p><p><span style="font-size: 13.3333px;">rule BluenoroffPoS_Substitution {</span></p><p><span style="font-size: 13.3333px;"> strings:</span></p><p><span style="font-size: 13.3333px;"> $cardinfo_parsing = {6A 25 83 ?? F0}</span></p><p><span style="font-size: 13.3333px;"> $subs_table = { 5A 43 4B 4F [6] 41 44 42 4C [7] 4E 58 [6] 59}</span></p><p><span style="font-size: 13.3333px;"> condition:</span></p><p><span style="font-size: 13.3333px;"> all of them</span></p><p><span style="font-size: 13.3333px;">}</span></p><p><span style="font-size: 13.3333px;"><br /></span></p><p><span style="font-size: 13.3333px;"><b>Related Threatactor</b></span></p><p><span style="font-size: 13.3333px;">Bluenoroff</span></p><p><span style="font-size: 13.3333px;"><br /></span></p><p><span style="font-size: 13.3333px;"><b>Related Report</b></span></p><p><span style="font-size: 13.3333px;">https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new</span></p><p><span style="font-size: 13.3333px;"><br /></span></p><p><span style="font-size: 13.3333px;"><b>Special Thanks to</b> <a href="https://twitter.com/darienhuss" target="_blank" class="tx-link"><span style="color: rgb(0, 85, 255);"><b>Darien</b></span></a></span></p><p></p>
Threat Intelligence
cryptoforce
알 수 없는 사용자
https://fsiceat.tistory.com/3
https://fsiceat.tistory.com/3#entry3comment
Thu, 7 Jun 2018 08:27:33 +0900
-
[English Version] Campaign RIFLE : Andariel, The Maiden of Anguish
https://fsiceat.tistory.com/2
<p style="text-align: center; clear: none; float: none;"><span class="imageblock" style="display: inline-block; width: 900px; height: auto; max-width: 100%;"><img src="https://t1.daumcdn.net/cfile/tistory/99582A385B1640ED29" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F99582A385B1640ED29" width="900" height="139" filename="andariel.jpg" filemime="image/jpeg"/></span></p><p style="text-align: center;"><b><br /></b></p><p style="text-align: center;"><b>English version</b> of Threat intelligence report "Campaign RIFLE"</p><p style="text-align: center;"><b>Special thanks to "<a href="https://www.group-ib.com/" target="_blank" class="tx-link">Group-IB</a>"</b></p><p style="text-align: center;"><br /></p><p style="text-align: center;"><span class="imageblock" style="display: inline-block; height: auto; max-width: 100%;"><a href="https://t1.daumcdn.net/cfile/tistory/99D10D345B16402814"><img alt="" src="https://i1.daumcdn.net/cfs.tistory/v/0/blog/image/extension/unknown.gif" style="vertical-align: middle;" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/>FSEC Korea RIFLE.docx</a></span></p><p style="text-align: center;"><br /></p>
Threat Intelligence
rifle
threatintelligence
알 수 없는 사용자
https://fsiceat.tistory.com/2
https://fsiceat.tistory.com/2#entry2comment
Tue, 5 Jun 2018 16:48:37 +0900
-
Threat Intelligence Cheat Sheet for Attribution
https://fsiceat.tistory.com/1
<p style="text-align: center; clear: none; float: none;">Threat Intelligence Cheat Sheet for Attribution</p><p style="text-align: center; clear: none; float: none;"><br /></p><p style="text-align: center; clear: none; float: none;">Any feedbacks are <span style="color: rgb(0, 0, 0);"><b>WELCOME</b></span>!</p><p style="text-align: center; clear: none; float: none;"><br /></p><p style="text-align: center; clear: none; float: none;"></p><p style="text-align: center; clear: none; float: none;"><span class="imageblock" style="display: inline-block; width: 900px; height: auto; max-width: 100%;"><img src="https://t1.daumcdn.net/cfile/tistory/9947F4435B19EC291C" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F9947F4435B19EC291C" width="900" height="506" filename="TI_CHEATSHEET.jpg" filemime="image/jpeg" style=""/></span></p><p style="text-align: center; clear: none; float: none;"><br /></p><p style="text-align: center; clear: none; float: none;"><br /></p><p style="text-align: center; clear: none; float: none;"><br /></p>
Threat Intelligence
threatintelligence
알 수 없는 사용자
https://fsiceat.tistory.com/1
https://fsiceat.tistory.com/1#entry1comment
Tue, 5 Jun 2018 11:38:10 +0900