Summary

Many PoS(Point-Of-Sale) were compromised in South Korea.  Attackers stole card information, especially, track2 data of magnetic card. 

Malware hooks the specific module(ksnetadsl.dll*) and precisely extract track2 data. Attackers already knew about South Korea Card Payment Process very well.


ksnetadsl.dll : Encrypt approval message and send it to VAN server to get confirmation from card company.  



Incident Flow




IoCs

944439b6693b0589ae73421c0a342d8a

203b1ceff471f8519d9df5a31243ed0d

8c9d5a122c18fe3b233b100f3990accf

badef8c801334aac6df6c41166791cf7

www.webkingston[.]com  (89.33.246.102) 

www.energydonate[.]com (81.95.5.179) 

online-help.serveftp[.]com (81.95.5.179)


Yararule

rule BluenoroffPoS_DLL {

        meta:

                description = "hkp.dll"

        strings:

                $dll = "ksnetadsl.dll" ascii wide fullword nocase

                $exe = "xplatform.exe" ascii wide fullword nocase

                $agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase 

                $log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase 

                $base_addr = "%d-BaseAddr:0x%x" ascii wide nocase

                $func_addr = "%d-FuncAddr:0x%x" ascii wide nocase

                $HF_S = "HF-S(%d)" ascii wide

                $HF_T = "HF-T(%d)" ascii wide

        condition:

                5 of them

}


rule BluenoroffPoS_Substitution {

        strings:

              $cardinfo_parsing = {6A 25 83 ?? F0}

              $subs_table = { 5A 43 4B 4F [6] 41 44 42 4C [7] 4E 58 [6] 59}

        condition:

                all of them

}


Related Threatactor

Bluenoroff


Related Report

https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new


Special Thanks to Darien


English version of Threat intelligence report "Campaign RIFLE"

Special thanks to "Group-IB"


FSEC Korea RIFLE.docx


Threat Intelligence Cheat Sheet for Attribution


Any feedbacks are WELCOME!





+ Recent posts