返回 TI 主页
KBuster: Fake Bank App in South Korean

By 奇安信威胁情报中心 | 事件追踪

Background

QiAnXin Threat Intelligence Center recently found an attack against South Korean mobile banking users. First activity may back to December 22, 2018, and until this document is finished, attack is still ongoing. Both malware samples and C2 infrastructure are written in Korean. So we believe this attack is run by actors from South Korea.

The main attack platform for Android, attack target as the bank of Korea APP users, means of attack by fake APP, many South Korean bank in tricking users to install and run under the premise of success, to steal personal information, and remote control mobile user, connected directly with the bank in order to skip the users authentication, thus stealing users' personal property.

Up to now, 360Threat Intelligence Center has captured a total of 55 kinds of the same family Android trojans, and the number of wild samples is as high as 118. Through correlation analysis, we also found that the black production gang used more than 300 servers for storing user information.

In our initial captured sample, the URL of uploaded information contains a field: KBStar, and KB is also the abbreviation of Korean bank. Based on this association, we think this gang is actually the Buster of the bank of Korea, so we name this black production gang as KBuster.

The following is the analysis detail.

Bait

After capturing a batch of decoys that were faked to be Korean bank apps, we first categorized the APP ICONS and the faked APP names in order to draw a target portrait of the gang targeting android phone users.

The South Korean Banks that are the main forgers are the following

After opening one of the imitated banking apps (national bank), the interface can be seen as follows:

Click the specified page to display the corresponding salesperson's photo.

Framework

Since the captured android samples all use a set of framework and the variations are not changed much, we will analyze one of the typical samples and summarize the specific characteristics of the KBuster family APP.

Sample information
The file name 국 민 은 행 apk
The name of the software 국 민 은 행 (translation: national bank)
The package name Com. Kbsoft8. Activity20190313a
MD5 2 fe9716dcad75333993d61caf5220295
Install the ICONS

The sample execution flow chart is shown below.

After running, the Trojan will pop up phishing page that imitates "national bank" and induce users to fill in personal information.

At this time, the Trojan horse will get the user's address book, SMS content in the background and upload to the fixed server, and will monitor the user's mobile phone in the server, every 5 seconds to refresh the current state of the user's mobile phone, so as to achieve real-time monitoring

In addition, the Trojan will remote control the user's mobile phone operation, and can be related to South Korea Banks and other financial industry 369 phone Numbers for call transfer operation to bypass the bank two-factor authentication, but also can listen to mobile phone calls, modify the ring tone, privately hang up the user's call and block the call number and other operations.

The detailed code analysis is as follows

One, access to the user's mobile phone address book, SMS and upload to the server.

Get user address book:

Get user SMS:

Upload the acquired user information to the server:

Server configuration information:

Upload the obtained user information:

Two, the user's mobile phone remote control

The user's ringtone:

Call transfer operation is carried out on the user's mobile phone. When the call number already exists and the stolen number is lost, hang up the phone and block the number:

Other trojans in this family are almost identical to the above code, with fewer changes, and therefore can be identified as the same family.

Attribution

By analyzing the Trojan program, we can obtain the account and password of the FTP server used to store user data. The screenshot of the server is as follows:

Encrypted text messages, address book files of one of the victims:

Data after decryption:

The following figure shows the remote server display page

The original Korean page shows:

Translated into English page shows:

Call transfer Settings, you can call transfer 369 Korean Banks and financial institutions telephone:

Here we can see that the telephone Numbers in the call transfer Settings of mandatory reception and mandatory outgoing are mainly the phone Numbers of the bank of Korea, and we make several speculations about their functions:

1. By setting the call transfer of the bank number, the call between the user and the bank can be directly transferred to the mobile phone of the attacker. In addition, since the victim's text messages can also be obtained by the attacker in real time, the authentication method of the SMS verification code or voice verification code of the bank in property transaction can be bypassed.

2. Interception of the bank number can also be used to detect abnormal behavior of the user's account in the bank and conduct the phone confirmation process, so that the user cannot normally receive the relevant notification from the bank source.

Screen user's mobile phone number page:

After the analysis of all the APK samples of the KBuster gang captured, we found that more than 300 servers were used for the black production business, and the IP was basically set with a serial number. From the above analysis, we can know that it would randomly select a server to upload information.It shows the deep pockets behind the gang.

In addition, after the preliminary statistics of the user data size of all the victims, we found that the amount of information collected was as high as 3 G, and the APP is still uploading information at present, and there will be new variations in the family every day, so the activity is very active.

In addition, after we conduct association search through a key in the sample, we associate the Trojan horse sample that is also disguised as Korean bank, and the comment information in its Trojan code is also Chinese.

From the function of Trojan horse, it mainly carries on the collection and the return transmission to the information such as the short message, the address book and so on in the middle horse user's mobile phone, its function and the home in the past few years "short message intercepts the horse" the function and the intention are similar.

Because we through encryption keys associated with Trojan that contain similar function of Chinese information, combined with the domestic "horse" SMS interceptor class black organization characteristics and patterns of production, we speculated that an early version of the Trojan program can also be produced by domestic black production personnel participating in the development, and is used by South Korea messenger, etc to the bank of Korea mobile phone users against attack.

Based on this, from the attack target and the language used in the remote control background, we believe that the KBuster gang is a black production gang suspected to be from South Korea. It has deep financial resources behind the scene, and we do not rule out the existence of links with the domestic black production gang.

Conclusion

KBuster is the most active counterfeit bank APK gang discovered in 2019. It uses more than 300 servers to engage in the attack, and use the method of bypassing the bank's two-factor authentication to steal the user's property, which all reveals the professionalism of this organization.

Because at present unable to statistics of the victims of the economic losses and APP still steal user property, so we revealed the operation, hope to South Korean police can be dealt with as soon as possible, also hope that other users in the process of the use of mobile phones, mobile applications do not install the unknown source, as far as possible in the normal application download third party applications markets, prevent the criminals steal privacy and personal property.

The IOC
MD5
1d970126b806a6336ef069f5969ac626 54fc1b5338b79a1526da366b30910651
da8f146413a3ec200dd7a183cd4a909a 83cc96e0910e9ac55ce85bcb5356a711
95635bba83955c89dbb057d0f2d02450 e08db7766d1df3937957c3589dfd885f
79866df39cca98cd8d170f1270517d99 ee1bdfb6b9c97a9b7f9125c16a1be110
c6e911588ee34930bc05be813e8b474f c7a66b522f20b012a3452cf6788e2a1b
025895304aacbd2224d231436ae8c773 25deb2044903a4faa0bc6625b95dd5a4
990f3e9e52f823da5c5b61a0abc926b0 0c314114759ce59cc8d68f8dc25695c7
ac5551f629d0cc55addf82428121ea01 a0ab91c5de99b9c79d450b1686cbdef6
5b128fa99b1b9511097c7cd29f518e83 74617a332c8a052d396c6e2f38c24379
2a2205d3b7455dc90eeae2e6c3bcff63 be3d376b2b1199c87f2a84425907814c
743b6a4f86a3b63c14683800f424b102 327f3d46174828e6c8c2a6355b301710
1ca2e08f90ac9decae24b990ee98f27e 6a630c20d295b07f981251bc50f17279
2fe9716dcad75333993d61caf5220295 50b93e8accb109bce897ce0f16dd7931
df022e7860750d81525ff345056b433f 9ec75c32373a0a84384fdbc67525e810
283182b0e0d450b7c03622de705fd1dc 1049e290dc488c5d24d211e6cd9f6937
ed613bda35c442edf52d720fc61f2e1c c17dd0e2012e9b5c44020041a4407712
fa703eaecb540a4b23daf6995b802d64 3fa74a736eb90e58002fa8aaaf40e66c
8de30e81bca59950f12c5a64a4095c57 9438093e585e26539f3a6f5e2f844536
b2d32fa1a756d56eae0c3668dae3c25f aa44ad01793071fb9a78bbf4f7c64c22
e162977ced5da7c18dc6e18b69157449 c33773e8cce011f0b48be324c3c2135c
fe08b37a7f97fcb7ba814405732f636a 172946d34f207bbae95238d47c5aa87d
f9920632013e719d1ed139ed6b2fb342 4d28e046d13c90847e1b5ce5f1ee6288
37a37e3219c1f264a5fb57027f2e11f5 3f1b1d137528533859c7a1731efe00b7
5ec6beff969f6b747312f466ec2d55ab 499269bd99299eb22a7c32b8e2de3670
aaca7667eec7b64169c08482f4692fde c4557042fc98c39159dc385dc48f35b1
ae1f4ab8d2af680572a096bf692409ae 2a77106cbf30002548307db24654c1ff
92ea578913c3b3bd3c6441601bac41b6 3c80a2a73bdc20853da4d64b16cebd67
a435791a5fb65b41281bb0f5c22a7486
URL
http://112.121.185.132/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://112.121.185.133/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://112.121.185.134/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.234/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.235/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.236/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.237/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://182.16.14.238/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.10/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.11/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.12/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.13/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://216.118.242.14/kbstar/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.74/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.75/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.76/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.77/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://52.128.242.78/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.210/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.211/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.212/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.213/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://216.118.234.214/hdadmin/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.162/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.163/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.164/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.165/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.176.166/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.58/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.59/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.60/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.61/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://148.66.18.62/nonghyop/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.2/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.3/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.4/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.5/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.169.6/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.106/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.107/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.108/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.109/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://112.121.175.110/hncapital/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.98/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.99/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.100/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.101/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.119.102/nhbank/CallTransfer/PhoneServlet/addNewPhone
http://182.16.33.50/hncapital/Mb/Mb/Message1
http://182.16.33.51/hncapital/Mb/Mb/Message1
http://182.16.33.52/hncapital/Mb/Mb/Message1
http://182.16.33.53/hncapital/Mb/Mb/Message1
http://182.16.33.54/hncapital/Mb/Mb/Message1
http://112.121.176.162/nonghyop/Mb/Mb/Message1
http://112.121.176.163/nonghyop/Mb/Mb/Message1
http://112.121.176.164/nonghyop/Mb/Mb/Message1
http://112.121.176.165/nonghyop/Mb/Mb/Message1
http://112.121.176.166/nonghyop/Mb/Mb/Message1
http://148.66.18.58/nonghyop/Mb/Mb/Message1
http://148.66.18.59/nonghyop/Mb/Mb/Message1
http://148.66.18.60/nonghyop/Mb/Mb/Message1
http://148.66.18.61/nonghyop/Mb/Mb/Message1
http://148.66.18.62/nonghyop/Mb/Mb/Message1
http://182.16.122.114/nhcapital/Mb/Mb/Message1
http://182.16.122.115/nhcapital/Mb/Mb/Message1
http://182.16.122.116/nhcapital/Mb/Mb/Message1
http://182.16.122.117/nhcapital/Mb/Mb/Message1
http://52.128.224.106/nhcapital/Mb/Mb/Message1
http://52.128.224.108/nhcapital/Mb/Mb/Message1
http://52.128.224.109/nhcapital/Mb/Mb/Message1
http://52.128.224.110/nhcapital/Mb/Mb/Message1
http://180.178.46.106/hnadmin/Mb/Mb/Message1
http://180.178.46.107/hnadmin/Mb/Mb/Message1
http://180.178.46.108/hnadmin/Mb/Mb/Message1
http://180.178.46.109/hnadmin/Mb/Mb/Message1
http://180.178.46.110/hnadmin/Mb/Mb/Message1
http://148.66.2.234/hnadmin/Mb/Mb/Message1
http://148.66.2.235/hnadmin/Mb/Mb/Message1
http://148.66.2.236/hnadmin/Mb/Mb/Message1
http://148.66.2.237/hnadmin/Mb/Mb/Message1
http://148.66.2.238/hnadmin/Mb/Mb/Message1
http://52.128.228.234/nhbank/Mb/Mb/Message1
http://112.121.167.74/nhbank/Mb/Mb/Message1
http://112.121.167.75/nhbank/Mb/Mb/Message1
http://112.121.167.76/nhbank/Mb/Mb/Message1
http://182.16.89.122/hdadmin/Mb/Mb/Request
http://182.16.89.123/hdadmin/Mb/Mb/Request
http://182.16.89.124/hdadmin/Mb/Mb/Request
http://182.16.89.125/hdadmin/Mb/Mb/Request
http://182.16.89.126/hdadmin/Mb/Mb/Request
http://180.178.60.170/hdadmin/Mb/Mb/Request
http://180.178.60.171/hdadmin/Mb/Mb/Request
http://180.178.60.172/hdadmin/Mb/Mb/Request
http://180.178.60.173/hdadmin/Mb/Mb/Request
http://180.178.60.174/hdadmin/Mb/Mb/Request
http://182.16.89.122/hdadmin/Mb/Mb/Message1
http://182.16.89.123/hdadmin/Mb/Mb/Message1
http://182.16.89.124/hdadmin/Mb/Mb/Message1
http://182.16.89.125/hdadmin/Mb/Mb/Message1
http://182.16.89.126/hdadmin/Mb/Mb/Message1
http://180.178.60.170/hdadmin/Mb/Mb/Message1
http://180.178.60.171/hdadmin/Mb/Mb/Message1
http://180.178.60.172/hdadmin/Mb/Mb/Message1
http://180.178.60.173/hdadmin/Mb/Mb/Message1
http://180.178.60.174/hdadmin/Mb/Mb/Message1
http://148.66.9.251/hncapital/Mb/Mb/Message1
http://148.66.9.252/hncapital/Mb/Mb/Message1
http://148.66.9.253/hncapital/Mb/Mb/Message1
http://148.66.9.254/hncapital/Mb/Mb/Message1
http://180.178.62.98/hncapital/Mb/Mb/Message1
http://180.178.62.99/hncapital/Mb/Mb/Message1
http://180.178.62.100/hncapital/Mb/Mb/Message1
http://180.178.62.101/hncapital/Mb/Mb/Message1
http://180.178.62.102/hncapital/Mb/Mb/Message1
http://112.121.169.2/hncapital/Mb/Mb/Message1
http://112.121.169.3/hncapital/Mb/Mb/Message1
http://112.121.169.4/hncapital/Mb/Mb/Message1
http://112.121.169.5/hncapital/Mb/Mb/Message1
http://112.121.169.6/hncapital/Mb/Mb/Message1
http://112.121.175.106/hncapital/Mb/Mb/Message1
http://112.121.175.107/hncapital/Mb/Mb/Message1
http://112.121.175.108/hncapital/Mb/Mb/Message1
http://112.121.175.109/hncapital/Mb/Mb/Message1
http://112.121.175.110/hncapital/Mb/Mb/Message1
http://182.16.14.234/kbstar/Mb/Mb/Message1
http://182.16.14.235/kbstar/Mb/Mb/Message1
http://182.16.14.236/kbstar/Mb/Mb/Message1
http://182.16.14.237/kbstar/Mb/Mb/Message1
http://182.16.14.238/kbstar/Mb/Mb/Message1
http://216.118.242.10/kbstar/Mb/Mb/Message1
http://216.118.242.11/kbstar/Mb/Mb/Message1
http://216.118.242.12/kbstar/Mb/Mb/Message1
http://216.118.242.13/kbstar/Mb/Mb/Message1
http://216.118.242.14/kbstar/Mb/Mb/Message1
http://148.66.6.250/hnadmin/Mb/Mb/Message1
http://148.66.6.251/hnadmin/Mb/Mb/Message1
http://148.66.6.252/hnadmin/Mb/Mb/Message1
http://148.66.6.253/hnadmin/Mb/Mb/Message1
http://148.66.6.254/hnadmin/Mb/Mb/Message1
http://52.128.245.82/hnadmin/Mb/Mb/Message1
http://52.128.245.83/hnadmin/Mb/Mb/Message1
http://52.128.245.84/hnadmin/Mb/Mb/Message1
http://52.128.245.85/hnadmin/Mb/Mb/Message1
http://52.128.245.86/hnadmin/Mb/Mb/Message1
http://148.66.9.251/hdadmin/Mb/Mb/Message1
http://148.66.9.252/hdadmin/Mb/Mb/Message1
http://148.66.9.253/hdadmin/Mb/Mb/Message1
http://148.66.9.254/hdadmin/Mb/Mb/Message1
http://180.178.62.98/hdadmin/Mb/Mb/Message1
http://180.178.62.99/hdadmin/Mb/Mb/Message1
http://180.178.62.100/hdadmin/Mb/Mb/Message1
http://180.178.62.101/hdadmin/Mb/Mb/Message1
http://180.178.62.102/hdadmin/Mb/Mb/Message1
http://182.16.38.250/hanaman/Mb/Mb/Message1
http://182.16.38.251/hanaman/Mb/Mb/Message1
http://182.16.38.252/hanaman/Mb/Mb/Message1
http://182.16.38.253/hanaman/Mb/Mb/Message1
http://182.16.38.254/hanaman/Mb/Mb/Message1
http://182.16.39.66/hanaman/Mb/Mb/Message1
http://182.16.39.67/hanaman/Mb/Mb/Message1
http://182.16.39.68/hanaman/Mb/Mb/Message1
http://182.16.39.69/hanaman/Mb/Mb/Message1
http://182.16.39.70/hanaman/Mb/Mb/Message1
http://182.16.49.2/nhcapital/Mb/Mb/Message1
http://182.16.49.3/nhcapital/Mb/Mb/Message1
http://182.16.49.4/nhcapital/Mb/Mb/Message1
http://182.16.49.5/nhcapital/Mb/Mb/Message1
http://182.16.49.6/nhcapital/Mb/Mb/Message1
http://103.70.77.124/nhcapital/Mb/Mb/Message1
http://103.70.77.125/nhcapital/Mb/Mb/Message1
http://103.70.77.126/nhcapital/Mb/Mb/Message1
http://182.16.38.250/hnadmin/Mb/Mb/Message1
http://182.16.38.251/hnadmin/Mb/Mb/Message1
http://182.16.38.252/hnadmin/Mb/Mb/Message1
http://182.16.38.253/hnadmin/Mb/Mb/Message1
http://182.16.38.254/hnadmin/Mb/Mb/Message1
http://182.16.39.66/hnadmin/Mb/Mb/Message1
http://182.16.39.68/hnadmin/Mb/Mb/Message1
http://182.16.39.69/hnadmin/Mb/Mb/Message1
http://182.16.39.70/hnadmin/Mb/Mb/Message1
http://148.66.16.74/nhbank/Mb/Mb/Message1
http://148.66.16.75/nhbank/Mb/Mb/Message1
http://148.66.16.76/nhbank/Mb/Mb/Message1
http://148.66.16.77/nhbank/Mb/Mb/Message1
http://148.66.16.78/nhbank/Mb/Mb/Message1
http://112.121.167.50/nhbank/Mb/Mb/Message1
http://112.121.167.51/nhbank/Mb/Mb/Message1
http://112.121.167.53/nhbank/Mb/Mb/Message1
52.128.228.234:21823
52.128.246.230:21821‬‬‬
52.128.224.106:21823
52.128.224.108:21823
52.128.224.109:21823
52.128.224.110:21823
52.128.245.82:21823
52.128.245.83:21823
52.128.245.84:21823
52.128.245.85:21823
52.128.245.86:21823
103.70.77.124:21823
103.70.77.125:21823
103.70.77.126:21823
112.121.167.50:21823
112.121.167.51:21823
112.121.167.53:21823
112.121.167.74:21823
112.121.167.75:21823
112.121.167.76:21823
112.121.169.2:21823
112.121.169.3:21823
112.121.169.4:21823
112.121.169.5:21823
112.121.169.6:21823
112.121.175.106:21823
112.121.175.107:21823
112.121.175.108:21823
112.121.175.109:21823
112.121.175.110:21823
112.121.176.162:21823
112.121.176.163:21823
112.121.176.164:21823
112.121.176.165:21823
112.121.176.166:21823
148.66.2.234:21823
148.66.2.235:21823
148.66.2.236:21823
148.66.2.237:21823
148.66.2.238:21823
148.66.6.250:21823
148.66.6.251:21823
148.66.6.252:21823
148.66.6.253:21823
148.66.6.254:21823
148.66.9.251:21823
148.66.9.252:21823
148.66.9.253:21823
148.66.9.254:21823
148.66.16.74:21823
148.66.16.75:21823
148.66.16.76:21823
148.66.16.77:21823
148.66.16.78:21823
148.66.18.58:21823
148.66.18.59:21823
148.66.18.60:21823
148.66.18.61:21823
148.66.18.62:21823
180.178.46.106:21823
180.178.46.107:21823
180.178.46.108:21823
180.178.46.109:21823
180.178.46.110:21823
180.178.60.170:21823
180.178.60.171:21823
180.178.60.172:21823
180.178.60.173:21823
180.178.60.174:21823
180.178.62.98:21823
180.178.62.99:21823
180.178.62.100:21823
180.178.62.101:21823
180.178.62.102:21823
182.16.38.250:21823
182.16.38.251:21823
182.16.38.252:21823
182.16.38.253:21823
182.16.38.254:21823
182.16.39.66:21823
182.16.39.67:21823
182.16.39.68:21823
182.16.39.69:21823
182.16.39.70:21823
182.16.49.2:21823
182.16.49.3:21823
182.16.49.4:21823
182.16.49.5:21823
182.16.49.6:21823
182.16.89.122:21823
182.16.89.123:21823
182.16.89.124:21823
182.16.89.125:21823
182.16.89.126:21823
182.16.14.234:21823
182.16.14.235:21823
182.16.14.236:21823
182.16.14.237:21823
182.16.14.238:21823
182.16.33.50:21823
182.16.33.51:21823
182.16.33.52:21823
182.16.33.53:21823
182.16.33.54:21823
182.16.122.114:21823
182.16.122.115:21823
182.16.122.116:21823
182.16.122.117:21823
216.118.242.10:21823
216.118.242.11:21823
216.118.242.12:21823
216.118.242.13:21823
216.118.242.14:21823
KBUSTER FAKE BANK APP
首页
KBuster: Fake Bank App in South Korean