Summary
Many PoS(Point-Of-Sale) were compromised in South Korea. Attackers stole card information, especially, track2 data of magnetic card.
Malware hooks the specific module(ksnetadsl.dll*) and precisely extract track2 data. Attackers already knew about South Korea Card Payment Process very well.
ksnetadsl.dll : Encrypt approval message and send it to VAN server to get confirmation from card company. |
Incident Flow
IoCs
944439b6693b0589ae73421c0a342d8a
203b1ceff471f8519d9df5a31243ed0d
8c9d5a122c18fe3b233b100f3990accf
badef8c801334aac6df6c41166791cf7
www.webkingston[.]com (89.33.246.102)
www.energydonate[.]com (81.95.5.179)
online-help.serveftp[.]com (81.95.5.179)
Yararule
rule BluenoroffPoS_DLL {
meta:
description = "hkp.dll"
strings:
$dll = "ksnetadsl.dll" ascii wide fullword nocase
$exe = "xplatform.exe" ascii wide fullword nocase
$agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase
$log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase
$base_addr = "%d-BaseAddr:0x%x" ascii wide nocase
$func_addr = "%d-FuncAddr:0x%x" ascii wide nocase
$HF_S = "HF-S(%d)" ascii wide
$HF_T = "HF-T(%d)" ascii wide
condition:
5 of them
}
rule BluenoroffPoS_Substitution {
strings:
$cardinfo_parsing = {6A 25 83 ?? F0}
$subs_table = { 5A 43 4B 4F [6] 41 44 42 4C [7] 4E 58 [6] 59}
condition:
all of them
}
Related Threatactor
Bluenoroff
Related Report
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
Special Thanks to Darien
'Threat Intelligence' 카테고리의 다른 글
| [English Version] Campaign RIFLE : Andariel, The Maiden of Anguish (0) | 2018.06.05 |
|---|---|
| Threat Intelligence Cheat Sheet for Attribution (0) | 2018.06.05 |
FSEC Korea RIFLE.docx