揭露語音釣魚團伙：深入調查與曝光..pdf

《揭露語音釣魚團伙：深入調查與曝光..pdf》由會員分享，可在線閱讀，更多相關《揭露語音釣魚團伙：深入調查與曝光..pdf（78頁珍藏版）》請在三個皮匠報告上搜索。

1、#BHASIA BlackHatEventsVoice Phishing Syndicates Unmasked:An In-Depth Investigation and ExposureSojun Ryu(S2W Inc.),Yeongjae Shin(Ex-S2W Inc.)#BHASIA BlackHatEvents1.Background2.Overview3.Attack infrastructure provided as SaaS4.SecretCallsIndex5.Automation#BHASIA BlackHatEventsLead of Threat Analysis

2、 Team,S2W Tracking major ransomware and APT attack groups and identifying their TTP Interested and passionate about reverse engineering,threat intelligence,and incident responseCareer Oct,2020:Threat Analysis Team,S2W TALON Dec,2013 Oct,2020:KrCERT/CC,KISASpeaker of FIRSTCON,FIRSTCTI,Virus Bulletin,

3、ISCR,DCCSocial So-jun Ryuhypen1117#BHASIA BlackHatEventsYeong-jae ShinResearcher of SRE Squad,at GoormObservability research and threat analysis on Cloud-nativeAnalysis of threat actors on cloud-delivered infrastructureComplianceCareerNov,2023:SRE Squad,at GoormMar,2022 Nov,2023:Threat Analysis Team

4、,S2W TALONSpeaker of SIS,Virus BulletinSFacebook ProfileLinkedin Profile#BHASIA BlackHatEvents1.Background#BHASIA BlackHatEvents1.Background An extension of When Voice Phishing met Malicious Android App at Black Hat Asia in 2019.Voice phishing is social engineering attack over the phone.Discovered i

5、n the 2000s,since 2006 Today in South Korea Main goal is to extort money from the victims With native South Koreans now occupying key positions,attack scenarios becoming sophisticated.#BHASIA BlackHatEvents1.BackgroundSource:Financial Supervisory Service6,7202,3531,6821,4511,96550,37218,26513,21312,

6、81611,5031920212223Damage AmountNumber of VictimsStatistics for voice phishing victimization(Unit:100M KRW,(=75K USD)#BHASIA BlackHatEvents1.BackgroundSource:Financial Supervisory Service0.1330.1290.1270.1130.1711920212223Damage per victimStatistics for voice phishing victimization(Unit:100M KRW,(=7

7、5K USD)Fewer victims,but damage per victim has increased#BHASIA BlackHatEvents2023 type of voice-phishing The rate of Loan for Repaymenthas approximately doubled The rate ofImpersonation of Institutionshas approximately tripled1702136115213116929919276620%10%20%30%40%50%60%70%80%90%100%202120222023M

8、essenger PhishingLoan for RepaymentImpersonation ofInstitutionsSource:Financial Supervisory Servicex31.Backgroundx2#BHASIA BlackHatEvents2.Overview#BHASIA BlackHatEventsDirector/Deputy directorMoney withdrawalCurrent exchangeBurner bank accountLaunderingSIM-box/PhonesPersonalinformationMalicious app

9、sVoIP Name:Minjuns group(Name of Director)December 2017 December 2021(5 yrs)60 members 560 victims,10.8 billion(KRW)2.Overview Group structureRecruitment/DirectingIT departmentCall centerMoving fundsBank accountMoney LaunderingCall centers are in competitionSource:Seoul Eastern District Prosecutors

10、OfficeProbably cooperated#BHASIA BlackHatEventsDirector/Deputy director Name:Minjuns group(Name of Director)December 2017 December 2021(5 yrs)60 members 560 victims,10.8 billion(KRW)2.Overview Group structureRecruitment/DirectingIT departmentCall centerMoving fundsBank accountMoney LaunderingCall ce

11、nters are in competitionSource:Seoul Eastern District Prosecutors Office#BHASIA BlackHatEventsDirector/Deputy directorMoney withdrawalCurrent exchangeBurner bank accountLaundering Name:Minjuns group(Name of Director)December 2017 December 2021(5 yrs)60 members 560 victims,10.8 billion(KRW)2.Overview

12、 Group structureRecruitment/DirectingIT departmentCall centerMoving fundsBank accountMoney LaunderingCall centers are in competitionSource:Seoul Eastern District Prosecutors Office#BHASIA BlackHatEventsDirector/Deputy directorSIM-box/PhonesPersonalinformationMalicious appsVoIP Name:Minjuns group(Nam

13、e of Director)December 2017 December 2021(5 yrs)60 members 560 victims,10.8 billion(KRW)2.Overview Group structureRecruitment/DirectingIT departmentCall centerMoving fundsBank accountMoney LaunderingCall centers are in competitionSource:Seoul Eastern District Prosecutors OfficeProbably cooperated#BH

14、ASIA BlackHatEvents Impersonation Impersonation-themed dispatch of case documents Send case documents by registered mail Deception Methods Account used for criminal activities,investigation required Downloading app for proceeding with investigation proceduresCase documents sent by registered mailbut

15、 returned2.Overview Phishing themeSeoul Central DistrictProsecutors OfficeCase number&Plaintiffs nameSeoul Central DistrictProsecutors OfficeAttackers number#BHASIA BlackHatEvents Loans for repayment Emergency livelihood support Coronavirus-themed Government-backed low-interest refinancing Deception

16、 Methods Demanding money to boost credit rating via transactions Downloading loan app for contactless lendingInternet bank name2.Overview Phishing themeThe last loan of 2021for low-income.Contact number&operating hours for consultationFCFSYouve been selectedfor a special offer.Limit:10M 200M(KRW),In

17、terest:1.3%3.0%#BHASIA BlackHatEvents Coronavirus-themed government loans/funds Emergency livelihood support Government-backed low-interest refinancing Deception Methods Demanding money to boost credit rating via transactions Downloading loan app for contactless lendingInternet bank name2.Overview P

18、hishing themeThe last loan of 2021for low-income.Contact number&operating hours for consultationFCFSYouve been selected for a special offer.Limit:10M 200M(KRW),Interest:1.3%3.0%INTEREST ON MY LOANAT THE TIME:6.0%#BHASIA BlackHatEventsScam/ExtortionSmishing/CallLoans for repaymentImpersonationImperso

19、nationusing APK(Case 1)Impersonationusing APK(Case 2)Smishing/CallSmishing/CallSmishing/Call2.Overview Attack scenarios#BHASIA BlackHatEventsScam/ExtortionLoans for repaymentSmishing/CallIntroduce a loanDemand fine/fee2.Overview Attack scenarios#BHASIA BlackHatEventsScam/ExtortionImpersonationSmishi

20、ng/CallThreaten with involvement in a crimeInduce to access to fake siteShow fake officialdocumentsDemand money for investigation/protection2.Overview Attack scenarios#BHASIA BlackHatEventsScam/ExtortionImpersonationusing APK(Case 1)Smishing/CallDisguise as investigator via 2ndCall/MessengerUsing ca

21、ll forwarding,tricking a victimDemand money for investigation/protectionInduce to install an APKvia IP/Attachment2.Overview Attack scenarios#BHASIA BlackHatEventsScam/ExtortionUsing call forwarding,tricking a victimDemand money for investigation/protectionImpersonationusing APK(Case 2)2.Overview Att

22、ack scenariosSmishing/CallThreaten with involvement in a crimeInduce access to fake siteShow fake officialdocumentsInduce to install an APK via IP#BHASIA BlackHatEvents2.Overview Attack scenariosOR1.Introduce as investigator2.Disclose criminalarrests3.Obtain passbook/IDin your name on site4.Ask if a

23、 victim or accomplice5.Request to verify official docs for investigation6.Request to accessa portal site7.Mention about theembargo8.Encourage access to aspecific IP addressSource:Financial Supervisory Service,YTN#BHASIA BlackHatEvents3.Attack infrastructureprovided as SaaS#BHASIA BlackHatEvents3.Inf

24、rastructureProvider(Phishing site/APKs)Voice phishingoperator groupsTargets1.Pay2.Give control over infra3.Attack with the site/APK4.Control infected devices#BHASIA BlackHatEvents3.Infrastructurespo.go.kr(Real)114.44.203.96(Provider A)156.247.15.245(Provider C)114.43.215.82(Provider B)Disguised as S

25、upreme Prosecutors Office website Built completely identical sites 3 providers supports this theme Redirects to fake page for querying incidents Scenario:Impersonation/Impersonation(Case 2)#BHASIA BlackHatEventsProvider AAS 3462Official letter,Seizure&Search&Arrest WarrantSecretCalls3.Infrastructure

26、(Seoul)(Supreme)111.44.203.96(Provider A)#BHASIA BlackHatEvents3.Infrastructure114.43.215.82(Provider B)Provider BAS 3462Official letter,Bank Statement,Non-Disclosure Agreement,Arrest WarrantSyncCalls(South)#BHASIA BlackHatEvents3.Infrastructure156.247.15.245(Provider C)Provider CAS 133199Official l

27、etter,Arrest Warrant,Bank StatementMalCalls(Supreme)#BHASIA BlackHatEvents3.Infrastructure(Provider A)(Provider B)(Provider C)Former Official Prosecutor Generals sealName of Prosecutors office withCase number,Targets name,Severity,Date,Registrant,#BHASIA BlackHatEvents3.Infrastructure(Provider A)(Pr

28、ovider B)(Provider C)Arrest Warrant for Financial Crimes Issued by a Korean Court with Targets Name&Registration numberFake account number,Detention Center&Period#BHASIA BlackHatEvents3.InfrastructureTransaction HistoryInquiry FormInspector,Verifier,Recipient(Provider B)(Provider C)Account number(Su

29、spended)&Inquiry Period#BHASIA BlackHatEvents3.InfrastructureNon-Disclosure AgreementAttorney General,Case Director,Legal Officer,Investigators seal(Provider B)#BHASIA BlackHatEvents3.Infrastructure Pole-AntiSpySecretCalls(Provider A)MalCalls(Provider C)SyncCalls(Provider B)#BHASIA BlackHatEvents3.I

30、nfrastructure Provider A114.44.203.60(FAKE)(REAL)Police cybercop#BHASIA BlackHatEvents3.Infrastructure Provider A114.44.203.238(FAKE)(REAL)Phishing eyes#BHASIA BlackHatEvents4.SecretCalls#BHASIA BlackHatEvents0.131.45Average damage of all attcksAverage damage of attacks when APKs used2019 Average da

31、mage per attack(Unit:100M KRW,(=75K USD)Source:Board of Audit and Inspection of Koreax104.SecretCalls#BHASIA BlackHatEventsData theft(photos,privacy)SurveillanceCall redirect4.SecretCalls Common VP Actions#BHASIA BlackHatEvents4.SecretCalls OverviewC&Cwith FCMSurveillanceReddit ProfileNetworkBehavio

32、rFileStructureAntiDecompileEncryptedClass FileCallForwarding#BHASIA BlackHatEventsNumFamilyDisguised asDEX filenameLibrary(.SO)filenameDEX DecryptionMethodC&C address locationC&C Endpoint OR Query1SecretCallsPolice,Anti-virus,Bankingsecret-classesNum.dexkill-classesNum.dexblack-classesNum.dexlibdn_s

33、sl.solibbbed.solibset.soAES-128-ECBHardcoded in DEX,Hardcoded in Lib,Get from Reddit-postVal=data-atimestamp=data2MalCallsBanking,Police,Anti-virus,Agency,E-commerceobfdexNum.dexobkNum.dexlibbaiduprotect_sec_jni.soAES-256-ECBGoogle Drive-/api/user/ping_server-/api/user/get_extra_message-/api/user/ge

34、t_limit_phone_number3SyncCallsPolice,Prosecutors officesclasses.dexyclasses.dexlibdex1.solibdevaxfo.soAES-128-ECBHardcoded in DEX-/spy/Sync?imei=-/spy/SyncConfig?imei=4RcCallsBankingclasses1.dexlibopenssl.soAES-128-ECBHardcoded in DEX-WebSocket5KKvoiceBanking,Anti-viruslptNum.obfdex-Base64+XORHardco

35、ded in DEX-/api/random/signal/random-WebSocket4.SecretCalls Overview VP groups#BHASIA BlackHatEventsfrCompression:17185 is not valid,we can fix it to 8(Deflate)frFileDate:Not so far from now4.SecretCalls Anti decompile8(Deflate)07/04/20241.Compression Method2.Timestamp#BHASIA BlackHatEventsUse open

36、Sourcemins44164.SecretCalls Anti decompileFix header manually#BHASIA BlackHatEvents4.SecretCalls File Structure1st Stage:Loader2nd Stage:SecretCalls#BHASIA BlackHatEvents4.SecretCalls File Structure(1)*slal18sha:Korean profanity(moxxer fxxxer)Secretcalls:raw(*.apk)Phishing resources:*.sz(zip)(pw:sla

37、l18sha)SecretCalls Loader#BHASIA BlackHatEvents4.SecretCalls File Structure(2)SecretCalls:*.sz(zip,separated)(pw:slal18sha)Phishing resources:raw in assets*slal18sha:Korean profanity(moxxer fxxxer)SecretCalls Loader#BHASIA BlackHatEvents4.SecretCalls File Structure(3)SecretCalls LoaderSecretCalls:ra

38、w(*.apk)Phishing resources:raw#BHASIA BlackHatEvents Components of Each apps(Loader/SecretCalls)Key elements for malicious activity Decrypted/Loaded on memory in runtime Has changed to three different namessecret-classes.dexkill-classes.dexbalck-classes.dex4.SecretCalls Encrypted Class file#BHASIA B

39、lackHatEvents2023.042023.102021.011stsecret-classes.dexBalck-classes.dex2ndSecret-classes.dexNOW4.SecretCalls Encrypted Class filekill-classes.dex#BHASIA BlackHatEventsEncryptedclass fileDecryption key stored inNative library(.so)name1stSecretNative LibraryAndroidManifest.xmllibfirebase.soKillNative

40、 Librarylibset.solibbbes.soBalckAndroidManifest.xmlNo use library2ndSecretNative Librarylibdn_ssl.solibbbed.so4.SecretCalls Encrypted Class file#BHASIA BlackHatEventsEncryptedclass fileKey to decrypt class file(AES-128/ECB only)key to decrypt extra C&C(AES-128/CBC only)1stSecretdbcdcfghijklmaoprb!nB

41、wXv4C%Gr84(KEY)1234567812345678(IV)KillBalckxxxxefgaxxdeccccdasdefvvvxxxxyyy2ndSecretdbcdcfghijklmaopPY06RguZ68k2as6v(KEY)1862971933292829(IV)4.SecretCalls Encrypted Class file#BHASIA BlackHatEventsClientServerWebsocket+HTTP4.SecretCallsNetwork Behavior(Protocol)#BHASIA BlackHatEventsApp ID(key valu

42、e)Devices Information4.SecretCallsNetwork Behavior(Requests)#BHASIA BlackHatEventsatimestamp=payload with encryption(old)postVal=payload with encryption4.SecretCallsNetwork Behavior(Requests)#BHASIA BlackHatEventsTypebehaviorEndpoint2Send device statushttp:/C&C ip/A3bh3/Vdc53Extort new messagehttp:/

43、C&C ip/bC4d/v8N/Sop40.13Send audio,image fileshttp:/C&C ip/a/bcF4c/Bdcm/./vvbg4.SecretCallsNetwork Behavior(Requests)Type 3=http:/C&C ip/bC4d/v8N/Sop40a-zA-Z0-91,5*3#BHASIA BlackHatEventsConfig for malicious Behavior(e.g.call forwarding)4.SecretCallsNetwork Behavior(Response)ClientServer#BHASIA Blac

44、kHatEventsPhonePhone numbersnumberstoto callcall redirectionredirectionNumberNumber listlistforfor callcall blockingblockingImageImage uploadupload serverserverRedditReddit profileprofiletoto getget extraextra C&CC&CModeMode of of JuphoonJuphoonforfor surveillancesurveillance4.SecretCallsNetwork Beh

45、avior(Response)Server statusServer status=#BHASIA BlackHatEventsAttackers number(pno)4.SecretCalls Call RedirectionOriginal CallOriginal CallThe original call will be canceled,and a new call will be created.It may be difficult to noticeNew Call#BHASIA BlackHatEventsKB bank at Sanbon street(name)Real

46、 number of KB bank(fno)4.SecretCalls Call RedirectionUser sees a fake screenoverlaid on top of the new call screen.Fake View#BHASIA BlackHatEventsC&C on Reddit profile changes irregularlyUsername on Reddit*1A2B3C*Encrypted extra C&C address*4D5E6F*4.SecretCalls Extra C&C#BHASIA BlackHatEvents4.Secre

47、tCalls FCM1.Send token2.Get token from C&C3.Send command using FCM with token4.Forwardcommand5.Send results#BHASIA BlackHatEvents4.SecretCalls-Surveillance1.Send ID2.Get ID from C&C3.Login to Remote app using ID4.RequestAPI Server5.CreateSession#BHASIA BlackHatEventsLoginLoginEavesdroppingCameraInpu

48、t Juphoon ID(error)input user ID(error)Eavesdropping fail!Check your ID4.SecretCallsCustom App for Surveillance#BHASIA BlackHatEvents5.Automation#BHASIA BlackHatEventsCollect Loader 64,000+(including Secretcalls,it doubles)5.Automation-StatisticsClassified into 15+target(theme)#BHASIA BlackHatEvents

49、5.Automation-StatisticsOthersBanksPhishing EyesKorean National Police Agency33,27411,3838,58811,200e-commerce,courier services,video player,#BHASIA BlackHatEvents5.Automation-StatisticsOthersBanksPhishing EyesKorean National Police Agency33,27411,3838,58811,200e-commerce,courier services,video playe

50、r,#BHASIA BlackHatEventsSo,we.5.Automation-ConclusionANALYZEDOVER 99 PERCENTOF APKSAUTOMATICALLY#BHASIA BlackHatEvents C&C server 130+Most are placed in HK JP KR SG others5.Automation-ConclusionHong Kong(70+)Japan(50+)South Korea(5+)United States(1)India(1)Singapore(5+)#BHASIA BlackHatEvents malicio

51、us phone number 15+About 10%of them(2)were Chinese,not Korean5.Automation-Conclusion130,156:China Unicom#BHASIA BlackHatEventsTakeaways With cases of impersonation of institutions on the rise,its important to monitor and block their phishing sites.IoCs alone may not be enough,their attack scenarios

52、need to be understood and disseminated.Need to track their infrastructure by extracting key information immediately through automation#BHASIA BlackHatEventsTakeaway-IoCsPhishing siteProvider AProvider BProvider C114.44.203.96114.44.215.128156.247.15.245114.41.74.75114.44.215.163208.87.202.44111.253.

53、228.97114.43.215.8245.207.51.254111.253.207.49114.43.215.19745.207.51.22961.223.147.45114.43.212.11845.207.54.11561.223.140.235114.43.195.19145.207.54.114#BHASIA BlackHatEventsTakeaway-IoCsProvider A-Phishing sitePhishing EyesSupreme ProsecutorConsumer Agency114.41.64.218111.253.216.161111.253.215.4

54、9111.253.198.50111.253.220.4361.223.157.84111.253.200.198111.253.246.44114.41.75.234111.253.238.95111.253.247.9114.41.79.20361.223.143.19161.223.129.229114.41.80.22161.223.139.252114.41.76.156114.47.71.228#BHASIA BlackHatEventsTakeaway-IoCsProvider A-SecretCallsHashReddit profileC&C99dbb222c7096c3bd

55、759bbd49799523eFree-Breakfast-922043.202.65.810096dbf7aae99f71adaed0a05fd50bb8WesternMastodon5235154.19.69.67d459471e7e64ba61e6592557f8d190e3No_Double287638.181.2.17305148cfd2598d04ec3afe84271e49f8Legitimate_Peanut13927.56.36.7029d371239a57796983ce1dc639c3e40eCourseComfortable340103.73.161.210fd52ae

56、1f3164deb1c9e1439b479c6bb5Then-Lie-3539103.97.178.69#BHASIA BlackHatEventsTakeaway-IoCsProvider ASecretCalls C&C27.124.36.7438.181.2.49137.220.245.14149.104.49.4338.181.2.83137.220.245.18149.104.49.44154.19.69.75137.220.245.26149.104.49.46198.176.60.87137.220.245.37149.104.49.49103.186.215.103137.22

57、0.245.3813.124.202.35137.220.245.13137.220.245.45#BHASIA BlackHatEventsQ&AContactSojun:hypens2w.incYeongjae:#BHASIA BlackHatEventsQ&AMore details about SecretCallsPart 1:https:/ 2:https:/ BlackHatEventsAboutS2WS2W is a big data intelligence companyspecialized in hidden channels and cryptocurrencies.

58、The information contained in this document is proprietary and confidential.If you are not the intended recipient,please note that any use or circulation of this document may be cause for legal action.Contactinfos2w.incS2W captures massive amountof data from various channels and conducts analysis wit

59、h the unique AI based multi-domain analytics engine.S2W Offers a threat intelligence solution S2-XARVIS,cryptocurrency anti-money laundering solution S2-EYEZ,digital fraud detection system S2-TRUZ.For any queries,please contactwww.s2w.incCopyright 2023,S2W Inc.Special Thanks to Young-hyun,Jeong&Our Presentation Coach Anant