{ "Event": { "analysis": "2", "date": "2024-08-23", "extends_uuid": "", "info": "OSINT - NGate Android malware relays NFC traffic to steal cash", "publish_timestamp": "1724415888", "published": true, "threat_level_id": "3", "timestamp": "1724415650", "uuid": "3594b211-1c7c-4e20-8c85-62564c2e7267", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Finance\"", "relationship_type": "targets" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Retail\"", "relationship_type": "targets" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "uses" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "NGate C&C server.", "deleted": false, "disable_correlation": false, "timestamp": "1724414986", "to_ids": true, "type": "ip-dst", "uuid": "c778b40f-401f-477c-acc0-1ac6326f4828", "value": "172.187.98.211" } ], "Object": [ { "comment": "", "deleted": false, "description": "Report object to describe a report along with its metadata.", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "8", "timestamp": "1724414846", "uuid": "b664e0c0-e94c-4811-813b-591ab0fa6230", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1724414846", "to_ids": false, "type": "link", "uuid": "404f429d-75fe-45c5-a62f-d025e478fe8b", "value": "https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1724414846", "to_ids": false, "type": "text", "uuid": "390e6769-ecd7-4a0e-9dfa-5e095f8f1735", "value": "Android malware discovered by ESET Research relays NFC data from victims\u2019 payment cards, via victims\u2019 mobile phones, to the device of a perpetrator waiting at an ATM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "title", "timestamp": "1724414846", "to_ids": false, "type": "text", "uuid": "cc82d712-5537-4376-a7b1-9391a174d286", "value": "NGate Android malware relays NFC traffic to steal cash" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1724414846", "to_ids": false, "type": "text", "uuid": "e434a86a-c69b-4506-bc04-c1e04c66e284", "value": "Blog" } ] }, { "comment": "NGate distribution website.", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1724414934", "uuid": "670685e7-856e-457a-ab8b-5d50b99c951d", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1724414934", "to_ids": true, "type": "ip-dst", "uuid": "67064af6-5c07-45a4-b8e1-baa8b40fcb4e", "value": "91.222.136.153" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1724414934", "to_ids": true, "type": "domain", "uuid": "9439ed21-eb5f-4f98-a5de-e330c46fd8ec", "value": "raiffeisen-cz.eu" } ] }, { "comment": "Phishing website.", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1724414957", "uuid": "8a1c1eaf-fb1f-4192-bfb3-e39ccdcb15b3", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1724414957", "to_ids": true, "type": "ip-dst", "uuid": "3c88f7a9-0be0-4ac0-8867-fdec41a04901", "value": "104.21.7.213" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "hostname", "timestamp": "1724414957", "to_ids": true, "type": "hostname", "uuid": "891a583a-d494-4cce-b2d4-db2acc88093c", "value": "client.nfcpay.workers.dev" } ] }, { "comment": "NGate distribution website.", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1724415006", "uuid": "2a96d936-8d8e-4833-a84c-995747fcea47", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1724415006", "to_ids": true, "type": "ip-dst", "uuid": "9846f6cb-d2c0-49e2-9447-631031dc3f4a", "value": "185.104.45.51" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "hostname", "timestamp": "1724415006", "to_ids": true, "type": "hostname", "uuid": "1fe9e1b1-6099-4bfb-90b9-6a53620cdfec", "value": "app.mobil-csob-cz.eu" } ] }, { "comment": "NGate C&C server.", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1724415045", "uuid": "f7ef3692-2d4f-4e0f-80c0-cc96e626c3a9", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1724415045", "to_ids": true, "type": "ip-dst", "uuid": "32acdd39-eee2-45a0-b41f-5e98ab0d1244", "value": "185.181.165.124" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "hostname", "timestamp": "1724415045", "to_ids": true, "type": "hostname", "uuid": "68095d80-8f97-4858-b0b2-3b3d20f85c2f", "value": "nfc.cryptomaker.info" } ] }, { "comment": "", "deleted": false, "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", "meta-category": "misc", "name": "attack-step", "template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", "template_version": "1", "timestamp": "1724415189", "uuid": "6b219eb5-41e8-469a-8cc5-3ecb54a84332", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1724415189", "to_ids": false, "type": "text", "uuid": "a0e43ef8-1ed3-46d7-9742-a751e6f1d736", "value": "NGate has been distributed using dedicated websites impersonating legitimate services.", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key-step", "timestamp": "1724415169", "to_ids": false, "type": "boolean", "uuid": "2a5ae6e7-da1b-4f94-8e4e-3ff43cb675e0", "value": "1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "succesful", "timestamp": "1724415169", "to_ids": false, "type": "boolean", "uuid": "74a75b4d-d19d-42d2-b230-61e85138eb58", "value": "1" } ] }, { "comment": "", "deleted": false, "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", "meta-category": "misc", "name": "attack-step", "template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", "template_version": "1", "timestamp": "1724415284", "uuid": "56c8a4e9-c52a-4377-8def-71524d6b8715", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1724415284", "to_ids": false, "type": "text", "uuid": "4f6963ef-3bb5-4bdb-b40d-6178126bcc06", "value": "NGate tries to obtain victims\u2019 sensitive information via a phishing WebView pretending to be a banking service.", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1417.002\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key-step", "timestamp": "1724415235", "to_ids": false, "type": "boolean", "uuid": "7c4f878d-1b89-47bb-a7f0-b1c868133688", "value": "1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "succesful", "timestamp": "1724415235", "to_ids": false, "type": "boolean", "uuid": "fed9ae65-503d-45c2-80df-d43e39285885", "value": "1" } ] }, { "comment": "", "deleted": false, "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", "meta-category": "misc", "name": "attack-step", "template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", "template_version": "1", "timestamp": "1724415353", "uuid": "77a91913-41d6-40e8-9cbc-0e989dc54ee6", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1724415353", "to_ids": false, "type": "text", "uuid": "da979af4-c499-4610-b1af-7820f3dc628f", "value": "NGate can extract information about the device including device model, Android version, and information about NFC.", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key-step", "timestamp": "1724415322", "to_ids": false, "type": "boolean", "uuid": "888930cd-782c-4bd9-99c4-2239c6cab3a6", "value": "1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "succesful", "timestamp": "1724415322", "to_ids": false, "type": "boolean", "uuid": "e871cb13-a5d9-4fd5-9f00-288297b6e8f2", "value": "1" } ] }, { "comment": "", "deleted": false, "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", "meta-category": "misc", "name": "attack-step", "template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", "template_version": "1", "timestamp": "1724415428", "uuid": "6db83e7d-e8b9-4af7-b066-9eeeda3c916c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1724415428", "to_ids": false, "type": "text", "uuid": "ca52e318-d16a-49be-b6e2-b7613b6d2a5a", "value": "NGate uses a JavaScript interface to send and execute commands to compromised devices.", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1437.001\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key-step", "timestamp": "1724415399", "to_ids": false, "type": "boolean", "uuid": "b0889480-3b42-4c97-85c3-67f8856d8025", "value": "1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "succesful", "timestamp": "1724415399", "to_ids": false, "type": "boolean", "uuid": "efe0764c-6c26-4c54-af83-8da6d778e745", "value": "1" } ] }, { "comment": "", "deleted": false, "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", "meta-category": "misc", "name": "attack-step", "template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", "template_version": "1", "timestamp": "1724415516", "uuid": "a7e7a430-0053-4575-b02a-887781f3d366", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1724415516", "to_ids": false, "type": "text", "uuid": "7e3569d4-82a3-43c3-a442-49ac998f5f98", "value": "NGate uses port 5566 to communicate with its server to exfiltrate NFC traffic.", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1509\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key-step", "timestamp": "1724415482", "to_ids": false, "type": "boolean", "uuid": "40a6d4dd-fd27-44a0-9b0f-852e35675301", "value": "1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "succesful", "timestamp": "1724415482", "to_ids": false, "type": "boolean", "uuid": "0b72b277-4b84-49bb-81f4-c2e10bf29447", "value": "1" } ] }, { "comment": "", "deleted": false, "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", "meta-category": "misc", "name": "attack-step", "template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", "template_version": "1", "timestamp": "1724415600", "uuid": "27848d85-df48-41a8-9b49-487e5dead30e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1724415600", "to_ids": false, "type": "text", "uuid": "ea267d0d-3ec9-48a2-ae63-1fd63f2ee08e", "value": "NGate can exfiltrate NFC traffic.", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Out of Band Data - T1644\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key-step", "timestamp": "1724415565", "to_ids": false, "type": "boolean", "uuid": "f82b6eaa-3c80-4c8c-a6dd-beb307454d60", "value": "1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "succesful", "timestamp": "1724415565", "to_ids": false, "type": "boolean", "uuid": "53c9d6b4-1417-4d01-bb55-fec10c3009c4", "value": "1" } ] } ] } }