{ "type": "bundle", "id": "bundle--3594b211-1c7c-4e20-8c85-62564c2e7267", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:20:50.000Z", "modified": "2024-08-23T12:20:50.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--3594b211-1c7c-4e20-8c85-62564c2e7267", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:20:50.000Z", "modified": "2024-08-23T12:20:50.000Z", "name": "OSINT - NGate Android malware relays NFC traffic to steal cash", "published": "2024-08-23T12:24:48Z", "object_refs": [ "indicator--c778b40f-401f-477c-acc0-1ac6326f4828", "x-misp-object--b664e0c0-e94c-4811-813b-591ab0fa6230", "indicator--670685e7-856e-457a-ab8b-5d50b99c951d", "indicator--8a1c1eaf-fb1f-4192-bfb3-e39ccdcb15b3", "indicator--2a96d936-8d8e-4833-a84c-995747fcea47", "indicator--f7ef3692-2d4f-4e0f-80c0-cc96e626c3a9", "x-misp-object--6b219eb5-41e8-469a-8cc5-3ecb54a84332", "x-misp-object--56c8a4e9-c52a-4377-8def-71524d6b8715", "x-misp-object--77a91913-41d6-40e8-9cbc-0e989dc54ee6", "x-misp-object--6db83e7d-e8b9-4af7-b066-9eeeda3c916c", "x-misp-object--a7e7a430-0053-4575-b02a-887781f3d366", "x-misp-object--27848d85-df48-41a8-9b49-487e5dead30e" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:sector=\"Finance\"", "misp-galaxy:sector=\"Retail\"", "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "tlp:clear" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c778b40f-401f-477c-acc0-1ac6326f4828", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:09:46.000Z", "modified": "2024-08-23T12:09:46.000Z", "description": "NGate C&C server.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.187.98.211']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-08-23T12:09:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b664e0c0-e94c-4811-813b-591ab0fa6230", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:07:26.000Z", "modified": "2024-08-23T12:07:26.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/", "category": "External analysis", "uuid": "404f429d-75fe-45c5-a62f-d025e478fe8b" }, { "type": "text", "object_relation": "summary", "value": "Android malware discovered by ESET Research relays NFC data from victims\u2019 payment cards, via victims\u2019 mobile phones, to the device of a perpetrator waiting at an ATM", "category": "Other", "uuid": "390e6769-ecd7-4a0e-9dfa-5e095f8f1735" }, { "type": "text", "object_relation": "title", "value": "NGate Android malware relays NFC traffic to steal cash", "category": "Other", "uuid": "cc82d712-5537-4376-a7b1-9391a174d286" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "e434a86a-c69b-4506-bc04-c1e04c66e284" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--670685e7-856e-457a-ab8b-5d50b99c951d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:08:54.000Z", "modified": "2024-08-23T12:08:54.000Z", "description": "NGate distribution website.", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.222.136.153') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'raiffeisen-cz.eu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-08-23T12:08:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8a1c1eaf-fb1f-4192-bfb3-e39ccdcb15b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:09:17.000Z", "modified": "2024-08-23T12:09:17.000Z", "description": "Phishing website.", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.21.7.213') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'client.nfcpay.workers.dev')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-08-23T12:09:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2a96d936-8d8e-4833-a84c-995747fcea47", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:10:06.000Z", "modified": "2024-08-23T12:10:06.000Z", "description": "NGate distribution website.", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.104.45.51') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'app.mobil-csob-cz.eu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-08-23T12:10:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f7ef3692-2d4f-4e0f-80c0-cc96e626c3a9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:10:45.000Z", "modified": "2024-08-23T12:10:45.000Z", "description": "NGate C&C server.", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.181.165.124') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'nfc.cryptomaker.info')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-08-23T12:10:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6b219eb5-41e8-469a-8cc5-3ecb54a84332", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:13:09.000Z", "modified": "2024-08-23T12:13:09.000Z", "labels": [ "misp:name=\"attack-step\"", "misp:meta-category=\"misc\"", "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "NGate has been distributed using dedicated websites impersonating legitimate services.", "category": "Other", "uuid": "a0e43ef8-1ed3-46d7-9742-a751e6f1d736" }, { "type": "boolean", "object_relation": "key-step", "value": "1", "category": "Other", "uuid": "2a5ae6e7-da1b-4f94-8e4e-3ff43cb675e0" }, { "type": "boolean", "object_relation": "succesful", "value": "1", "category": "Other", "uuid": "74a75b4d-d19d-42d2-b230-61e85138eb58" } ], "x_misp_meta_category": "misc", "x_misp_name": "attack-step" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--56c8a4e9-c52a-4377-8def-71524d6b8715", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:14:44.000Z", "modified": "2024-08-23T12:14:44.000Z", "labels": [ "misp:name=\"attack-step\"", "misp:meta-category=\"misc\"", "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1417.002\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "NGate tries to obtain victims\u2019 sensitive information via a phishing WebView pretending to be a banking service.", "category": "Other", "uuid": "4f6963ef-3bb5-4bdb-b40d-6178126bcc06" }, { "type": "boolean", "object_relation": "key-step", "value": "1", "category": "Other", "uuid": "7c4f878d-1b89-47bb-a7f0-b1c868133688" }, { "type": "boolean", "object_relation": "succesful", "value": "1", "category": "Other", "uuid": "fed9ae65-503d-45c2-80df-d43e39285885" } ], "x_misp_meta_category": "misc", "x_misp_name": "attack-step" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--77a91913-41d6-40e8-9cbc-0e989dc54ee6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:15:53.000Z", "modified": "2024-08-23T12:15:53.000Z", "labels": [ "misp:name=\"attack-step\"", "misp:meta-category=\"misc\"", "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "NGate can extract information about the device including device model, Android version, and information about NFC.", "category": "Other", "uuid": "da979af4-c499-4610-b1af-7820f3dc628f" }, { "type": "boolean", "object_relation": "key-step", "value": "1", "category": "Other", "uuid": "888930cd-782c-4bd9-99c4-2239c6cab3a6" }, { "type": "boolean", "object_relation": "succesful", "value": "1", "category": "Other", "uuid": "e871cb13-a5d9-4fd5-9f00-288297b6e8f2" } ], "x_misp_meta_category": "misc", "x_misp_name": "attack-step" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6db83e7d-e8b9-4af7-b066-9eeeda3c916c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:17:08.000Z", "modified": "2024-08-23T12:17:08.000Z", "labels": [ "misp:name=\"attack-step\"", "misp:meta-category=\"misc\"", "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1437.001\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "NGate uses a JavaScript interface to send and execute commands to compromised devices.", "category": "Other", "uuid": "ca52e318-d16a-49be-b6e2-b7613b6d2a5a" }, { "type": "boolean", "object_relation": "key-step", "value": "1", "category": "Other", "uuid": "b0889480-3b42-4c97-85c3-67f8856d8025" }, { "type": "boolean", "object_relation": "succesful", "value": "1", "category": "Other", "uuid": "efe0764c-6c26-4c54-af83-8da6d778e745" } ], "x_misp_meta_category": "misc", "x_misp_name": "attack-step" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a7e7a430-0053-4575-b02a-887781f3d366", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:18:36.000Z", "modified": "2024-08-23T12:18:36.000Z", "labels": [ "misp:name=\"attack-step\"", "misp:meta-category=\"misc\"", "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1509\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "NGate uses port 5566 to communicate with its server to exfiltrate NFC traffic.", "category": "Other", "uuid": "7e3569d4-82a3-43c3-a442-49ac998f5f98" }, { "type": "boolean", "object_relation": "key-step", "value": "1", "category": "Other", "uuid": "40a6d4dd-fd27-44a0-9b0f-852e35675301" }, { "type": "boolean", "object_relation": "succesful", "value": "1", "category": "Other", "uuid": "0b72b277-4b84-49bb-81f4-c2e10bf29447" } ], "x_misp_meta_category": "misc", "x_misp_name": "attack-step" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--27848d85-df48-41a8-9b49-487e5dead30e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-08-23T12:20:00.000Z", "modified": "2024-08-23T12:20:00.000Z", "labels": [ "misp:name=\"attack-step\"", "misp:meta-category=\"misc\"", "misp-galaxy:mitre-attack-pattern=\"Out of Band Data - T1644\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "NGate can exfiltrate NFC traffic.", "category": "Other", "uuid": "ea267d0d-3ec9-48a2-ae63-1fd63f2ee08e" }, { "type": "boolean", "object_relation": "key-step", "value": "1", "category": "Other", "uuid": "f82b6eaa-3c80-4c8c-a6dd-beb307454d60" }, { "type": "boolean", "object_relation": "succesful", "value": "1", "category": "Other", "uuid": "53c9d6b4-1417-4d01-bb55-fec10c3009c4" } ], "x_misp_meta_category": "misc", "x_misp_name": "attack-step" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }