返回 TI 主页

背景

奇安信威胁情报中心近期发现一例针对韩国手机银行用户的黑产活动,其最早活动可能从2018年12月22日起持续至今,并且截至文档完成时,攻击活动依然活跃,结合木马程序和控制后台均为韩语显示,我们有理由认为其是由韩国的黑产团伙实施。

其攻击平台主要为Android,攻击目标锁定为韩国银行APP使用者,攻击手段为通过仿冒多款韩国银行APP,在诱骗用户安装成功并运行的前提下,窃取用户个人信息,并远程 控制用户手机,以便跳过用户直接与银行连线验证,从而 窃取用户个人财产

截至目前,奇安信威胁情报中心一共捕获了55种的同家族Android木马,在野样本数量高达118个,并且经过关联分析,我们还发现,该黑产团伙使用了300多个用于存放用户信息的服务器。

由于我们初始捕获的样本中,上传信息的URL包含有一个字段:KBStar,而KB也表示为korean bank的缩写,基于此进行联想,我们认为该团伙实乃韩国银行的克星,即Buster,因此我们将该黑产团伙命名为KBuster。

下面为分析过程。

诱饵分析

在捕获到一批伪造成韩国银行APP的诱饵后,我们首先对APP的图标以及伪造的APP名称进行归类,以便对这个针对安卓手机用户的团伙进行一个目标画像。

主要伪造的韩国银行为以下几家

而当打开其中一个仿照的银行APP后(国民银行),可见界面如下所示:

点击指定页面会显示出对应的营业员照片。

框架分析

由于捕获的安卓样本均使用一套框架,并且变种之间均改动不大,因此我们将其中一个典型样本进行剖析,并总结出KBuster家族APP的具体特征。

样本信息

文件名称 국민은행.apk
软件名称 국민은행(翻译:国民银行)
软件包名 com.kbsoft8.activity20190313a
MD5 2FE9716DCAD75333993D61CAF5220295
安装图标

样本执行流程图如下所示。

该木马运行以后会弹出仿冒为“国民银行”的钓鱼页面,并诱骗用户填写个人信息;

而此时,木马会在后台获取用户通讯录、短信内容并上传至固定服务器,并会在服务器对用户手机进行监控,每隔5秒对用户手机当前状态进行刷新,从而达到实时监控

除此之外,该木马会对用户手机进行远控操作,并可对韩国相关银行等金融行业的369个电话号码进行呼叫转移操作从而绕过银行双因素认证,还可以监听手机通话、修改来电铃声、私自挂断用户来电并拉黑来电号码等操作。

具体代码分析如下

一、获取用户手机通讯录、短信并上传到服务器。

获取用户通讯录:

获取用户短信:

将获取到的用户信息上传到服务器:

服务器配置信息:

上传获取到的用户信息:

二、对用户手机进行远程控制

更该用户手机铃声:

对用户手机进行来电转移操作,当来电号码已经存在,在所窃取的号码中时,挂断电话并拉黑该号码:

其他该家族的木马与上述代码几乎一致,更改的部分较少,因此可以确定为同家族木马。

溯源分析

通过分析木马程序,我们可以获取到,用于储存用户数据的FTP服务器的账号、密码,服务器截图如下:

其中一个受害者的被加密后的短信、通讯录文件:

解密后的数据:

此外,我们通过一些特殊手段获取到用于监控的服务器账号和密码,下图为远控服务器显示页面

原始韩文页面显示:

翻译为中文页面显示:

呼叫转移设置,可以呼叫转移369个韩国银行及金融机构的电话:

这里我们可以看到,呼叫转移设置中的强制接收和强制传出的电话号码主要为韩国银行的电话号码,我们对其作用做出几点推测:

1. 通过设置银行号码的呼叫转移可以将用户和银行的呼叫直接转移到攻击者的手机中,并且由于受害者的短信也可以被攻击者实时获取,因此可以绕过银行在进行财产交易的短信验证码或语音验证码的双印子认证方式。

2. 拦截银行号码也可用于在银行方面发现用户账户异常行为并进行电话确认过程,这样用户无法正常接收到银行来源的相关通知。

拉黑用户手机电话号码页面:

在对捕获到的所有KBuster团伙的APK样本进行分析后,我们发现使用300多个服务器从事黑产业务,且IP基本为连号设置,从上面的分析可以得知,其会随机选择一个服务器进行信息上传。可见其团伙幕后财力深厚。

除此之外,我们在对所有受害者的用户数据大小进行初步统计后,发现收集的信息量高达3个G,并且目前该APP仍在上传信息,并且家族变种每日都会有新增,活动异常活跃。

并且,我们通过样本中一个密钥进行关联搜索后,关联到同样是伪装成韩国银行的木马样本,并且其木马代码中的注释信息同样为中文。

从木马的功能来看,其主要对中马用户手机的诸如短信、通讯录等信息进行收集和回传,其功能和国内在过去几年的“短信拦截马”的功能和意图相似。

由于我们通过加密密钥关联到包含中文信息的类似功能的木马程序,结合过去国内“短信拦截马”类黑产组织的特点和模式,我们推测该类木马程序的早期版本也有可能是由国内黑产人员参与开发制作,并被韩国马仔等使用来针对韩国银行手机用户的攻击。

基于此,从攻击目标和远控后台所使用语言,我们认为KBuster团伙是一个疑似来自韩国的黑产团伙,其幕后财力深厚,并且不排除与国内黑产团伙存在联系,

总结

KBuster为2019年发现的最活跃的伪造银行类APK的黑产团伙,其使用300多个服务器从事黑产业务,并使用了绕过银行双因子认证的手法进行用户财产窃取的手法,无不透露了该组织的专业性。

由于目前无法统计受害者的经济损失,并且APP仍然在窃取用户财产,因此我们披露了此次行动,希望韩国警方可以尽快处理,也希望其他用户在使用手机的过程中,切莫安装未知来源的手机应用,尽可能的在正规的第三方应用市场进行应用下载,防止被不法分子窃取隐私和个人财产。

IOC

MD5
1d970126b806a6336ef069f5969ac626 54fc1b5338b79a1526da366b30910651
da8f146413a3ec200dd7a183cd4a909a 83cc96e0910e9ac55ce85bcb5356a711
95635bba83955c89dbb057d0f2d02450 e08db7766d1df3937957c3589dfd885f
79866df39cca98cd8d170f1270517d99 ee1bdfb6b9c97a9b7f9125c16a1be110
c6e911588ee34930bc05be813e8b474f c7a66b522f20b012a3452cf6788e2a1b
025895304aacbd2224d231436ae8c773 25deb2044903a4faa0bc6625b95dd5a4
990f3e9e52f823da5c5b61a0abc926b0 0c314114759ce59cc8d68f8dc25695c7
ac5551f629d0cc55addf82428121ea01 a0ab91c5de99b9c79d450b1686cbdef6
5b128fa99b1b9511097c7cd29f518e83 74617a332c8a052d396c6e2f38c24379
2a2205d3b7455dc90eeae2e6c3bcff63 be3d376b2b1199c87f2a84425907814c
743b6a4f86a3b63c14683800f424b102 327f3d46174828e6c8c2a6355b301710
1ca2e08f90ac9decae24b990ee98f27e 6a630c20d295b07f981251bc50f17279
2fe9716dcad75333993d61caf5220295 50b93e8accb109bce897ce0f16dd7931
df022e7860750d81525ff345056b433f 9ec75c32373a0a84384fdbc67525e810
283182b0e0d450b7c03622de705fd1dc 1049e290dc488c5d24d211e6cd9f6937
ed613bda35c442edf52d720fc61f2e1c c17dd0e2012e9b5c44020041a4407712
fa703eaecb540a4b23daf6995b802d64 3fa74a736eb90e58002fa8aaaf40e66c
8de30e81bca59950f12c5a64a4095c57 9438093e585e26539f3a6f5e2f844536
b2d32fa1a756d56eae0c3668dae3c25f aa44ad01793071fb9a78bbf4f7c64c22
e162977ced5da7c18dc6e18b69157449 c33773e8cce011f0b48be324c3c2135c
fe08b37a7f97fcb7ba814405732f636a 172946d34f207bbae95238d47c5aa87d
f9920632013e719d1ed139ed6b2fb342 4d28e046d13c90847e1b5ce5f1ee6288
37a37e3219c1f264a5fb57027f2e11f5 3f1b1d137528533859c7a1731efe00b7
5ec6beff969f6b747312f466ec2d55ab 499269bd99299eb22a7c32b8e2de3670
aaca7667eec7b64169c08482f4692fde c4557042fc98c39159dc385dc48f35b1
ae1f4ab8d2af680572a096bf692409ae 2a77106cbf30002548307db24654c1ff
92ea578913c3b3bd3c6441601bac41b6 3c80a2a73bdc20853da4d64b16cebd67
a435791a5fb65b41281bb0f5c22a7486
URL
http://112.121.185.132/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://112.121.185.133/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://112.121.185.134/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.234/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.235/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.236/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.237/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.238/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.10/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.11/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.12/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.13/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.14/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.74/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.75/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.76/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.77/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.78/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.210/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.211/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.212/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.213/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.214/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.162/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.163/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.164/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.165/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.166/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.58/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.59/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.60/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.61/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.62/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.2/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.3/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.4/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.5/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.6/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.106/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.107/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.108/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.109/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.110/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.98/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.99/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.100/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.101/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.102/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.33.50/hncapital/Mb/Mb/Message1
http://182.16.33.51/hncapital/Mb/Mb/Message1
http://182.16.33.52/hncapital/Mb/Mb/Message1
http://182.16.33.53/hncapital/Mb/Mb/Message1
http://182.16.33.54/hncapital/Mb/Mb/Message1
http://112.121.176.162/nonghyop/Mb/Mb/Message1
http://112.121.176.163/nonghyop/Mb/Mb/Message1
http://112.121.176.164/nonghyop/Mb/Mb/Message1
http://112.121.176.165/nonghyop/Mb/Mb/Message1
http://112.121.176.166/nonghyop/Mb/Mb/Message1
http://148.66.18.58/nonghyop/Mb/Mb/Message1
http://148.66.18.59/nonghyop/Mb/Mb/Message1
http://148.66.18.60/nonghyop/Mb/Mb/Message1
http://148.66.18.61/nonghyop/Mb/Mb/Message1
http://148.66.18.62/nonghyop/Mb/Mb/Message1
http://182.16.122.114/nhcapital/Mb/Mb/Message1
http://182.16.122.115/nhcapital/Mb/Mb/Message1
http://182.16.122.116/nhcapital/Mb/Mb/Message1
http://182.16.122.117/nhcapital/Mb/Mb/Message1
http://52.128.224.106/nhcapital/Mb/Mb/Message1
http://52.128.224.108/nhcapital/Mb/Mb/Message1
http://52.128.224.109/nhcapital/Mb/Mb/Message1
http://52.128.224.110/nhcapital/Mb/Mb/Message1
http://180.178.46.106/hnadmin/Mb/Mb/Message1
http://180.178.46.107/hnadmin/Mb/Mb/Message1
http://180.178.46.108/hnadmin/Mb/Mb/Message1
http://180.178.46.109/hnadmin/Mb/Mb/Message1
http://180.178.46.110/hnadmin/Mb/Mb/Message1
http://148.66.2.234/hnadmin/Mb/Mb/Message1
http://148.66.2.235/hnadmin/Mb/Mb/Message1
http://148.66.2.236/hnadmin/Mb/Mb/Message1
http://148.66.2.237/hnadmin/Mb/Mb/Message1
http://148.66.2.238/hnadmin/Mb/Mb/Message1
http://52.128.228.234/nhbank/Mb/Mb/Message1
http://112.121.167.74/nhbank/Mb/Mb/Message1
http://112.121.167.75/nhbank/Mb/Mb/Message1
http://112.121.167.76/nhbank/Mb/Mb/Message1
http://182.16.89.122/hdadmin/Mb/Mb/Request
http://182.16.89.123/hdadmin/Mb/Mb/Request
http://182.16.89.124/hdadmin/Mb/Mb/Request
http://182.16.89.125/hdadmin/Mb/Mb/Request
http://182.16.89.126/hdadmin/Mb/Mb/Request
http://180.178.60.170/hdadmin/Mb/Mb/Request
http://180.178.60.171/hdadmin/Mb/Mb/Request
http://180.178.60.172/hdadmin/Mb/Mb/Request
http://180.178.60.173/hdadmin/Mb/Mb/Request
http://180.178.60.174/hdadmin/Mb/Mb/Request
http://182.16.89.122/hdadmin/Mb/Mb/Message1
http://182.16.89.123/hdadmin/Mb/Mb/Message1
http://182.16.89.124/hdadmin/Mb/Mb/Message1
http://182.16.89.125/hdadmin/Mb/Mb/Message1
http://182.16.89.126/hdadmin/Mb/Mb/Message1
http://180.178.60.170/hdadmin/Mb/Mb/Message1
http://180.178.60.171/hdadmin/Mb/Mb/Message1
http://180.178.60.172/hdadmin/Mb/Mb/Message1
http://180.178.60.173/hdadmin/Mb/Mb/Message1
http://180.178.60.174/hdadmin/Mb/Mb/Message1
http://148.66.9.251/hncapital/Mb/Mb/Message1
http://148.66.9.252/hncapital/Mb/Mb/Message1
http://148.66.9.253/hncapital/Mb/Mb/Message1
http://148.66.9.254/hncapital/Mb/Mb/Message1
http://180.178.62.98/hncapital/Mb/Mb/Message1
http://180.178.62.99/hncapital/Mb/Mb/Message1
http://180.178.62.100/hncapital/Mb/Mb/Message1
http://180.178.62.101/hncapital/Mb/Mb/Message1
http://180.178.62.102/hncapital/Mb/Mb/Message1
http://112.121.169.2/hncapital/Mb/Mb/Message1
http://112.121.169.3/hncapital/Mb/Mb/Message1
http://112.121.169.4/hncapital/Mb/Mb/Message1
http://112.121.169.5/hncapital/Mb/Mb/Message1
http://112.121.169.6/hncapital/Mb/Mb/Message1
http://112.121.175.106/hncapital/Mb/Mb/Message1
http://112.121.175.107/hncapital/Mb/Mb/Message1
http://112.121.175.108/hncapital/Mb/Mb/Message1
http://112.121.175.109/hncapital/Mb/Mb/Message1
http://112.121.175.110/hncapital/Mb/Mb/Message1
http://182.16.14.234/kbstar/Mb/Mb/Message1
http://182.16.14.235/kbstar/Mb/Mb/Message1
http://182.16.14.236/kbstar/Mb/Mb/Message1
http://182.16.14.237/kbstar/Mb/Mb/Message1
http://182.16.14.238/kbstar/Mb/Mb/Message1
http://216.118.242.10/kbstar/Mb/Mb/Message1
http://216.118.242.11/kbstar/Mb/Mb/Message1
http://216.118.242.12/kbstar/Mb/Mb/Message1
http://216.118.242.13/kbstar/Mb/Mb/Message1
http://216.118.242.14/kbstar/Mb/Mb/Message1
http://148.66.6.250/hnadmin/Mb/Mb/Message1
http://148.66.6.251/hnadmin/Mb/Mb/Message1
http://148.66.6.252/hnadmin/Mb/Mb/Message1
http://148.66.6.253/hnadmin/Mb/Mb/Message1
http://148.66.6.254/hnadmin/Mb/Mb/Message1
http://52.128.245.82/hnadmin/Mb/Mb/Message1
http://52.128.245.83/hnadmin/Mb/Mb/Message1
http://52.128.245.84/hnadmin/Mb/Mb/Message1
http://52.128.245.85/hnadmin/Mb/Mb/Message1
http://52.128.245.86/hnadmin/Mb/Mb/Message1
http://148.66.9.251/hdadmin/Mb/Mb/Message1
http://148.66.9.252/hdadmin/Mb/Mb/Message1
http://148.66.9.253/hdadmin/Mb/Mb/Message1
http://148.66.9.254/hdadmin/Mb/Mb/Message1
http://180.178.62.98/hdadmin/Mb/Mb/Message1
http://180.178.62.99/hdadmin/Mb/Mb/Message1
http://180.178.62.100/hdadmin/Mb/Mb/Message1
http://180.178.62.101/hdadmin/Mb/Mb/Message1
http://180.178.62.102/hdadmin/Mb/Mb/Message1
http://182.16.38.250/hanaman/Mb/Mb/Message1
http://182.16.38.251/hanaman/Mb/Mb/Message1
http://182.16.38.252/hanaman/Mb/Mb/Message1
http://182.16.38.253/hanaman/Mb/Mb/Message1
http://182.16.38.254/hanaman/Mb/Mb/Message1
http://182.16.39.66/hanaman/Mb/Mb/Message1
http://182.16.39.67/hanaman/Mb/Mb/Message1
http://182.16.39.68/hanaman/Mb/Mb/Message1
http://182.16.39.69/hanaman/Mb/Mb/Message1
http://182.16.39.70/hanaman/Mb/Mb/Message1
http://182.16.49.2/nhcapital/Mb/Mb/Message1
http://182.16.49.3/nhcapital/Mb/Mb/Message1
http://182.16.49.4/nhcapital/Mb/Mb/Message1
http://182.16.49.5/nhcapital/Mb/Mb/Message1
http://182.16.49.6/nhcapital/Mb/Mb/Message1
http://103.70.77.124/nhcapital/Mb/Mb/Message1
http://103.70.77.125/nhcapital/Mb/Mb/Message1
http://103.70.77.126/nhcapital/Mb/Mb/Message1
http://182.16.38.250/hnadmin/Mb/Mb/Message1
http://182.16.38.251/hnadmin/Mb/Mb/Message1
http://182.16.38.252/hnadmin/Mb/Mb/Message1
http://182.16.38.253/hnadmin/Mb/Mb/Message1
http://182.16.38.254/hnadmin/Mb/Mb/Message1
http://182.16.39.66/hnadmin/Mb/Mb/Message1
http://182.16.39.68/hnadmin/Mb/Mb/Message1
http://182.16.39.69/hnadmin/Mb/Mb/Message1
http://182.16.39.70/hnadmin/Mb/Mb/Message1
http://148.66.16.74/nhbank/Mb/Mb/Message1
http://148.66.16.75/nhbank/Mb/Mb/Message1
http://148.66.16.76/nhbank/Mb/Mb/Message1
http://148.66.16.77/nhbank/Mb/Mb/Message1
http://148.66.16.78/nhbank/Mb/Mb/Message1
http://112.121.167.50/nhbank/Mb/Mb/Message1
http://112.121.167.51/nhbank/Mb/Mb/Message1
http://112.121.167.53/nhbank/Mb/Mb/Message1
52.128.228.234:21823
52.128.246.230:21821‬‬‬
52.128.224.106:21823
52.128.224.108:21823
52.128.224.109:21823
52.128.224.110:21823
52.128.245.82:21823
52.128.245.83:21823
52.128.245.84:21823
52.128.245.85:21823
52.128.245.86:21823
103.70.77.124:21823
103.70.77.125:21823
103.70.77.126:21823
112.121.167.50:21823
112.121.167.51:21823
112.121.167.53:21823
112.121.167.74:21823
112.121.167.75:21823
112.121.167.76:21823
112.121.169.2:21823
112.121.169.3:21823
112.121.169.4:21823
112.121.169.5:21823
112.121.169.6:21823
112.121.175.106:21823
112.121.175.107:21823
112.121.175.108:21823
112.121.175.109:21823
112.121.175.110:21823
112.121.176.162:21823
112.121.176.163:21823
112.121.176.164:21823
112.121.176.165:21823
112.121.176.166:21823
148.66.2.234:21823
148.66.2.235:21823
148.66.2.236:21823
148.66.2.237:21823
148.66.2.238:21823
148.66.6.250:21823
148.66.6.251:21823
148.66.6.252:21823
148.66.6.253:21823
148.66.6.254:21823
148.66.9.251:21823
148.66.9.252:21823
148.66.9.253:21823
148.66.9.254:21823
148.66.16.74:21823
148.66.16.75:21823
148.66.16.76:21823
148.66.16.77:21823
148.66.16.78:21823
148.66.18.58:21823
148.66.18.59:21823
148.66.18.60:21823
148.66.18.61:21823
148.66.18.62:21823
180.178.46.106:21823
180.178.46.107:21823
180.178.46.108:21823
180.178.46.109:21823
180.178.46.110:21823
180.178.60.170:21823
180.178.60.171:21823
180.178.60.172:21823
180.178.60.173:21823
180.178.60.174:21823
180.178.62.98:21823
180.178.62.99:21823
180.178.62.100:21823
180.178.62.101:21823
180.178.62.102:21823
182.16.38.250:21823
182.16.38.251:21823
182.16.38.252:21823
182.16.38.253:21823
182.16.38.254:21823
182.16.39.66:21823
182.16.39.67:21823
182.16.39.68:21823
182.16.39.69:21823
182.16.39.70:21823
182.16.49.2:21823
182.16.49.3:21823
182.16.49.4:21823
182.16.49.5:21823
182.16.49.6:21823
182.16.89.122:21823
182.16.89.123:21823
182.16.89.124:21823
182.16.89.125:21823
182.16.89.126:21823
182.16.14.234:21823
182.16.14.235:21823
182.16.14.236:21823
182.16.14.237:21823
182.16.14.238:21823
182.16.33.50:21823
182.16.33.51:21823
182.16.33.52:21823
182.16.33.53:21823
182.16.33.54:21823
182.16.122.114:21823
182.16.122.115:21823
182.16.122.116:21823
182.16.122.117:21823
216.118.242.10:21823
216.118.242.11:21823
216.118.242.12:21823
216.118.242.13:21823
216.118.242.14:21823
KBUSTER FAKE BANK APP