背景

360威胁情报中心近期发现一例针对韩国手机银行用户的黑产活动,其最早活动可能从2018年12月22日起持续至今,并且截至文档完成时,攻击活动依然活跃,结合木马程序和控制后台均为韩语显示,我们有理由认为其是由韩国的黑产团伙实施。

其攻击平台主要为Android,攻击目标锁定为韩国银行APP使用者,攻击手段为通过仿冒多款韩国银行APP,在诱骗用户安装成功并运行的前提下,窃取用户个人信息,并远程控制用户手机,以便跳过用户直接与银行连线验证,从而窃取用户个人财产

截至目前,360威胁情报中心一共捕获了55种的同家族Android木马,在野样本数量高达118个,并且经过关联分析,我们还发现,该黑产团伙使用了300多个用于存放用户信息的服务器。

由于我们初始捕获的样本中,上传信息的URL包含有一个字段:KBStar,而KB也表示为korean bank的缩写,基于此进行联想,我们认为该团伙实乃韩国银行的克星,即Buster,因此我们将该黑产团伙命名为KBuster。

下面为分析过程。

诱饵分析

在捕获到一批伪造成韩国银行APP的诱饵后,我们首先对APP的图标以及伪造的APP名称进行归类,以便对这个针对安卓手机用户的团伙进行一个目标画像。

主要伪造的韩国银行为以下几家

而当打开其中一个仿照的银行APP后(国民银行),可见界面如下所示:

点击指定页面会显示出对应的营业员照片。

框架分析

由于捕获的安卓样本均使用一套框架,并且变种之间均改动不大,因此我们将其中一个典型样本进行剖析,并总结出KBuster家族APP的具体特征。

样本信息

文件名称

국민은행.apk

软件名称

국민은행(翻译:国民银行)

软件包名

com.kbsoft8.activity20190313a

MD5

2FE9716DCAD75333993D61CAF5220295

安装图标

样本执行流程图如下所示。

该木马运行以后会弹出仿冒为“国民银行”的钓鱼页面,并诱骗用户填写个人信息;

而此时,木马会在后台获取用户通讯录、短信内容并上传至固定服务器,并会在服务器对用户手机进行监控,每隔5秒对用户手机当前状态进行刷新,从而达到实时监控

除此之外,该木马会对用户手机进行远控操作,并可对韩国相关银行等金融行业的369个电话号码进行呼叫转移操作从而绕过银行双因素认证,还可以监听手机通话、修改来电铃声、私自挂断用户来电并拉黑来电号码等操作。

具体代码分析如下

一、获取用户手机通讯录、短信并上传到服务器。

获取用户通讯录:

获取用户短信:

将获取到的用户信息上传到服务器:

服务器配置信息:

上传获取到的用户信息:

二、对用户手机进行远程控制

更该用户手机铃声:

对用户手机进行来电转移操作,当来电号码已经存在,在所窃取的号码中时,挂断电话并拉黑该号码:

其他该家族的木马与上述代码几乎一致,更改的部分较少,因此可以确定为同家族木马。

溯源分析

通过分析木马程序,我们可以获取到,用于储存用户数据的FTP服务器的账号、密码,服务器截图如下:

其中一个受害者的被加密后的短信、通讯录文件:

解密后的数据:

此外,我们通过一些特殊手段获取到用于监控的服务器账号和密码,下图为远控服务器显示页面

原始韩文页面显示:

翻译为中文页面显示:

呼叫转移设置,可以呼叫转移369个韩国银行及金融机构的电话:

这里我们可以看到,呼叫转移设置中的强制接收和强制传出的电话号码主要为韩国银行的电话号码,我们对其作用做出几点推测:

  1. 通过设置银行号码的呼叫转移可以将用户和银行的呼叫直接转移到攻击者的手机中,并且由于受害者的短信也可以被攻击者实时获取,因此可以绕过银行在进行财产交易的短信验证码或语音验证码的双印子认证方式。

  2. 拦截银行号码也可用于在银行方面发现用户账户异常行为并进行电话确认过程,这样用户无法正常接收到银行来源的相关通知。

拉黑用户手机电话号码页面:

在对捕获到的所有KBuster团伙的APK样本进行分析后,我们发现使用300多个服务器从事黑产业务,且IP基本为连号设置,从上面的分析可以得知,其会随机选择一个服务器进行信息上传。可见其团伙幕后财力深厚。

除此之外,我们在对所有受害者的用户数据大小进行初步统计后,发现收集的信息量高达3个G,并且目前该APP仍在上传信息,并且家族变种每日都会有新增,活动异常活跃。

并且,我们通过样本中一个密钥进行关联搜索后,关联到同样是伪装成韩国银行的木马样本,并且其木马代码中的注释信息同样为中文。

从木马的功能来看,其主要对中马用户手机的诸如短信、通讯录等信息进行收集和回传,其功能和国内在过去几年的“短信拦截马”的功能和意图相似。

由于我们通过加密密钥关联到包含中文信息的类似功能的木马程序,结合过去国内“短信拦截马”类黑产组织的特点和模式,我们推测该类木马程序的早期版本也有可能是由国内黑产人员参与开发制作,并被韩国马仔等使用来针对韩国银行手机用户的攻击。

基于此,从攻击目标和远控后台所使用语言,我们认为KBuster团伙是一个疑似来自韩国的黑产团伙,其幕后财力深厚,并且不排除与国内黑产团伙存在联系,

总结

KBuster为2019年发现的最活跃的伪造银行类APK的黑产团伙,其使用300多个服务器从事黑产业务,并使用了绕过银行双因子认证的手法进行用户财产窃取的手法,无不透露了该组织的专业性。

由于目前无法统计受害者的经济损失,并且APP仍然在窃取用户财产,因此我们披露了此次行动,希望韩国警方可以尽快处理,也希望其他用户在使用手机的过程中,切莫安装未知来源的手机应用,尽可能的在正规的第三方应用市场进行应用下载,防止被不法分子窃取隐私和个人财产。

IOC

MD5:

1d970126b806a6336ef069f5969ac626

54fc1b5338b79a1526da366b30910651

da8f146413a3ec200dd7a183cd4a909a

83cc96e0910e9ac55ce85bcb5356a711

95635bba83955c89dbb057d0f2d02450

e08db7766d1df3937957c3589dfd885f

79866df39cca98cd8d170f1270517d99

ee1bdfb6b9c97a9b7f9125c16a1be110

c6e911588ee34930bc05be813e8b474f

c7a66b522f20b012a3452cf6788e2a1b

025895304aacbd2224d231436ae8c773

25deb2044903a4faa0bc6625b95dd5a4

990f3e9e52f823da5c5b61a0abc926b0

0c314114759ce59cc8d68f8dc25695c7

ac5551f629d0cc55addf82428121ea01

a0ab91c5de99b9c79d450b1686cbdef6

5b128fa99b1b9511097c7cd29f518e83

74617a332c8a052d396c6e2f38c24379

2a2205d3b7455dc90eeae2e6c3bcff63

be3d376b2b1199c87f2a84425907814c

743b6a4f86a3b63c14683800f424b102

327f3d46174828e6c8c2a6355b301710

1ca2e08f90ac9decae24b990ee98f27e

6a630c20d295b07f981251bc50f17279

2fe9716dcad75333993d61caf5220295

50b93e8accb109bce897ce0f16dd7931

df022e7860750d81525ff345056b433f

9ec75c32373a0a84384fdbc67525e810

283182b0e0d450b7c03622de705fd1dc

1049e290dc488c5d24d211e6cd9f6937

ed613bda35c442edf52d720fc61f2e1c

c17dd0e2012e9b5c44020041a4407712

fa703eaecb540a4b23daf6995b802d64

3fa74a736eb90e58002fa8aaaf40e66c

8de30e81bca59950f12c5a64a4095c57

9438093e585e26539f3a6f5e2f844536

b2d32fa1a756d56eae0c3668dae3c25f

aa44ad01793071fb9a78bbf4f7c64c22

e162977ced5da7c18dc6e18b69157449

c33773e8cce011f0b48be324c3c2135c

fe08b37a7f97fcb7ba814405732f636a

172946d34f207bbae95238d47c5aa87d

f9920632013e719d1ed139ed6b2fb342

4d28e046d13c90847e1b5ce5f1ee6288

37a37e3219c1f264a5fb57027f2e11f5

3f1b1d137528533859c7a1731efe00b7

5ec6beff969f6b747312f466ec2d55ab

499269bd99299eb22a7c32b8e2de3670

aaca7667eec7b64169c08482f4692fde

c4557042fc98c39159dc385dc48f35b1

ae1f4ab8d2af680572a096bf692409ae

2a77106cbf30002548307db24654c1ff

92ea578913c3b3bd3c6441601bac41b6

3c80a2a73bdc20853da4d64b16cebd67

a435791a5fb65b41281bb0f5c22a7486

URL:

http://112.121.185.132/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://112.121.185.133/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://112.121.185.134/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://182.16.14.234/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://182.16.14.235/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://182.16.14.236/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://182.16.14.237/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://182.16.14.238/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://216.118.242.10/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://216.118.242.11/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://216.118.242.12/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://216.118.242.13/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://216.118.242.14/kbstar/CallTransfer/PhoneServlet/addNewPhone

http://52.128.242.74/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://52.128.242.75/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://52.128.242.76/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://52.128.242.77/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://52.128.242.78/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://216.118.234.210/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://216.118.234.211/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://216.118.234.212/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://216.118.234.213/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://216.118.234.214/hdadmin/CallTransfer/PhoneServlet/addNewPhone

http://112.121.176.162/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://112.121.176.163/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://112.121.176.164/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://112.121.176.165/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://112.121.176.166/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://148.66.18.58/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://148.66.18.59/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://148.66.18.60/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://148.66.18.61/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://148.66.18.62/nonghyop/CallTransfer/PhoneServlet/addNewPhone

http://112.121.169.2/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.169.3/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.169.4/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.169.5/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.169.6/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.175.106/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.175.107/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.175.108/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.175.109/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://112.121.175.110/hncapital/CallTransfer/PhoneServlet/addNewPhone

http://182.16.119.98/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://182.16.119.99/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://182.16.119.100/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://182.16.119.101/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://182.16.119.102/nhbank/CallTransfer/PhoneServlet/addNewPhone

http://182.16.33.50/hncapital/Mb/Mb/Message1

http://182.16.33.51/hncapital/Mb/Mb/Message1

http://182.16.33.52/hncapital/Mb/Mb/Message1

http://182.16.33.53/hncapital/Mb/Mb/Message1

http://182.16.33.54/hncapital/Mb/Mb/Message1

http://112.121.176.162/nonghyop/Mb/Mb/Message1

http://112.121.176.163/nonghyop/Mb/Mb/Message1

http://112.121.176.164/nonghyop/Mb/Mb/Message1

http://112.121.176.165/nonghyop/Mb/Mb/Message1

http://112.121.176.166/nonghyop/Mb/Mb/Message1

http://148.66.18.58/nonghyop/Mb/Mb/Message1

http://148.66.18.59/nonghyop/Mb/Mb/Message1

http://148.66.18.60/nonghyop/Mb/Mb/Message1

http://148.66.18.61/nonghyop/Mb/Mb/Message1

http://148.66.18.62/nonghyop/Mb/Mb/Message1

http://182.16.122.114/nhcapital/Mb/Mb/Message1

http://182.16.122.115/nhcapital/Mb/Mb/Message1

http://182.16.122.116/nhcapital/Mb/Mb/Message1

http://182.16.122.117/nhcapital/Mb/Mb/Message1

http://52.128.224.106/nhcapital/Mb/Mb/Message1

http://52.128.224.108/nhcapital/Mb/Mb/Message1

http://52.128.224.109/nhcapital/Mb/Mb/Message1

http://52.128.224.110/nhcapital/Mb/Mb/Message1

http://180.178.46.106/hnadmin/Mb/Mb/Message1

http://180.178.46.107/hnadmin/Mb/Mb/Message1

http://180.178.46.108/hnadmin/Mb/Mb/Message1

http://180.178.46.109/hnadmin/Mb/Mb/Message1

http://180.178.46.110/hnadmin/Mb/Mb/Message1

http://148.66.2.234/hnadmin/Mb/Mb/Message1

http://148.66.2.235/hnadmin/Mb/Mb/Message1

http://148.66.2.236/hnadmin/Mb/Mb/Message1

http://148.66.2.237/hnadmin/Mb/Mb/Message1

http://148.66.2.238/hnadmin/Mb/Mb/Message1

http://52.128.228.234/nhbank/Mb/Mb/Message1

http://112.121.167.74/nhbank/Mb/Mb/Message1

http://112.121.167.75/nhbank/Mb/Mb/Message1

http://112.121.167.76/nhbank/Mb/Mb/Message1

http://182.16.89.122/hdadmin/Mb/Mb/Request

http://182.16.89.123/hdadmin/Mb/Mb/Request

http://182.16.89.124/hdadmin/Mb/Mb/Request

http://182.16.89.125/hdadmin/Mb/Mb/Request

http://182.16.89.126/hdadmin/Mb/Mb/Request

http://180.178.60.170/hdadmin/Mb/Mb/Request

http://180.178.60.171/hdadmin/Mb/Mb/Request

http://180.178.60.172/hdadmin/Mb/Mb/Request

http://180.178.60.173/hdadmin/Mb/Mb/Request

http://180.178.60.174/hdadmin/Mb/Mb/Request

http://182.16.89.122/hdadmin/Mb/Mb/Message1

http://182.16.89.123/hdadmin/Mb/Mb/Message1

http://182.16.89.124/hdadmin/Mb/Mb/Message1

http://182.16.89.125/hdadmin/Mb/Mb/Message1

http://182.16.89.126/hdadmin/Mb/Mb/Message1

http://180.178.60.170/hdadmin/Mb/Mb/Message1

http://180.178.60.171/hdadmin/Mb/Mb/Message1

http://180.178.60.172/hdadmin/Mb/Mb/Message1

http://180.178.60.173/hdadmin/Mb/Mb/Message1

http://180.178.60.174/hdadmin/Mb/Mb/Message1

http:/148.66.9.251/hncapital/Mb/Mb/Message1

http:/148.66.9.252/hncapital/Mb/Mb/Message1

http:/148.66.9.253/hncapital/Mb/Mb/Message1

http:/148.66.9.254/hncapital/Mb/Mb/Message1

http://180.178.62.98/hncapital/Mb/Mb/Message1

http://180.178.62.99/hncapital/Mb/Mb/Message1

http://180.178.62.100/hncapital/Mb/Mb/Message1

http://180.178.62.101/hncapital/Mb/Mb/Message1

http://180.178.62.102/hncapital/Mb/Mb/Message1

http://112.121.169.2/hncapital/Mb/Mb/Message1

http://112.121.169.3/hncapital/Mb/Mb/Message1

http://112.121.169.4/hncapital/Mb/Mb/Message1

http://112.121.169.5/hncapital/Mb/Mb/Message1

http://112.121.169.6/hncapital/Mb/Mb/Message1

http://112.121.175.106/hncapital/Mb/Mb/Message1

http://112.121.175.107/hncapital/Mb/Mb/Message1

http://112.121.175.108/hncapital/Mb/Mb/Message1

http://112.121.175.109/hncapital/Mb/Mb/Message1

http://112.121.175.110/hncapital/Mb/Mb/Message1

http://182.16.14.234/kbstar/Mb/Mb/Message1

http://182.16.14.235/kbstar/Mb/Mb/Message1

http://182.16.14.236/kbstar/Mb/Mb/Message1

http://182.16.14.237/kbstar/Mb/Mb/Message1

http://182.16.14.238/kbstar/Mb/Mb/Message1

http://216.118.242.10/kbstar/Mb/Mb/Message1

http://216.118.242.11/kbstar/Mb/Mb/Message1

http://216.118.242.12/kbstar/Mb/Mb/Message1

http://216.118.242.13/kbstar/Mb/Mb/Message1

http://216.118.242.14/kbstar/Mb/Mb/Message1

http://148.66.6.250/hnadmin/Mb/Mb/Message1

http://148.66.6.251/hnadmin/Mb/Mb/Message1

http://148.66.6.252/hnadmin/Mb/Mb/Message1

http://148.66.6.253/hnadmin/Mb/Mb/Message1

http://148.66.6.254/hnadmin/Mb/Mb/Message1

http://52.128.245.82/hnadmin/Mb/Mb/Message1

http://52.128.245.83/hnadmin/Mb/Mb/Message1

http://52.128.245.84/hnadmin/Mb/Mb/Message1

http://52.128.245.85/hnadmin/Mb/Mb/Message1

http://52.128.245.86/hnadmin/Mb/Mb/Message1

http://148.66.9.251/hdadmin/Mb/Mb/Message1

http://148.66.9.252/hdadmin/Mb/Mb/Message1

http://148.66.9.253/hdadmin/Mb/Mb/Message1

http://148.66.9.254/hdadmin/Mb/Mb/Message1

http://180.178.62.98/hdadmin/Mb/Mb/Message1

http://180.178.62.99/hdadmin/Mb/Mb/Message1

http://180.178.62.100/hdadmin/Mb/Mb/Message1

http://180.178.62.101/hdadmin/Mb/Mb/Message1

http://180.178.62.102/hdadmin/Mb/Mb/Message1

http://182.16.38.250/hanaman/Mb/Mb/Message1

http://182.16.38.251/hanaman/Mb/Mb/Message1

http://182.16.38.252/hanaman/Mb/Mb/Message1

http://182.16.38.253/hanaman/Mb/Mb/Message1

http://182.16.38.254/hanaman/Mb/Mb/Message1

http://182.16.39.66/hanaman/Mb/Mb/Message1

http://182.16.39.67/hanaman/Mb/Mb/Message1

http://182.16.39.68/hanaman/Mb/Mb/Message1

http://182.16.39.69/hanaman/Mb/Mb/Message1

http://182.16.39.70/hanaman/Mb/Mb/Message1

http://182.16.49.2/nhcapital/Mb/Mb/Message1

http://182.16.49.3/nhcapital/Mb/Mb/Message1

http://182.16.49.4/nhcapital/Mb/Mb/Message1

http://182.16.49.5/nhcapital/Mb/Mb/Message1

http://182.16.49.6/nhcapital/Mb/Mb/Message1

http://103.70.77.124/nhcapital/Mb/Mb/Message1

http://103.70.77.125/nhcapital/Mb/Mb/Message1

http://103.70.77.126/nhcapital/Mb/Mb/Message1

http://182.16.38.250/hnadmin/Mb/Mb/Message1

http://182.16.38.251/hnadmin/Mb/Mb/Message1

http://182.16.38.252/hnadmin/Mb/Mb/Message1

http://182.16.38.253/hnadmin/Mb/Mb/Message1

http://182.16.38.254/hnadmin/Mb/Mb/Message1

http://182.16.39.66/hnadmin/Mb/Mb/Message1

http://182.16.39.68/hnadmin/Mb/Mb/Message1

http://182.16.39.69/hnadmin/Mb/Mb/Message1

http://182.16.39.70/hnadmin/Mb/Mb/Message1

http://148.66.16.74/nhbank/Mb/Mb/Message1

http://148.66.16.75/nhbank/Mb/Mb/Message1

http://148.66.16.76/nhbank/Mb/Mb/Message1

http://148.66.16.77/nhbank/Mb/Mb/Message1

http://148.66.16.78/nhbank/Mb/Mb/Message1

http://112.121.167.50/nhbank/Mb/Mb/Message1

http://112.121.167.51/nhbank/Mb/Mb/Message1

http://112.121.167.53/nhbank/Mb/Mb/Message1

52.128.228.234:21823

52.128.246.230:21821

52.128.224.106:21823

52.128.224.108:21823

52.128.224.109:21823

52.128.224.110:21823

52.128.245.82:21823

52.128.245.83:21823

52.128.245.84:21823

52.128.245.85:21823

52.128.245.86:21823

103.70.77.124:21823

103.70.77.125:21823

103.70.77.126:21823

112.121.167.50:21823

112.121.167.51:21823

112.121.167.53:21823

112.121.167.74:21823

112.121.167.75:21823

112.121.167.76:21823

112.121.169.2:21823

112.121.169.3:21823

112.121.169.4:21823

112.121.169.5:21823

112.121.169.6:21823

112.121.175.106:21823

112.121.175.107:21823

112.121.175.108:21823

112.121.175.109:21823

112.121.175.110:21823

112.121.176.162:21823

112.121.176.163:21823

112.121.176.164:21823

112.121.176.165:21823

112.121.176.166:21823

148.66.2.234:21823

148.66.2.235:21823

148.66.2.236:21823

148.66.2.237:21823

148.66.2.238:21823

148.66.6.250:21823

148.66.6.251:21823

148.66.6.252:21823

148.66.6.253:21823

148.66.6.254:21823

148.66.9.251:21823

148.66.9.252:21823

148.66.9.253:21823

148.66.9.254:21823

148.66.16.74:21823

148.66.16.75:21823

148.66.16.76:21823

148.66.16.77:21823

148.66.16.78:21823

148.66.18.58:21823

148.66.18.59:21823

148.66.18.60:21823

148.66.18.61:21823

148.66.18.62:21823

180.178.46.106:21823

180.178.46.107:21823

180.178.46.108:21823

180.178.46.109:21823

180.178.46.110:21823

180.178.60.170:21823

180.178.60.171:21823

180.178.60.172:21823

180.178.60.173:21823

180.178.60.174:21823

180.178.62.98:21823

180.178.62.99:21823

180.178.62.100:21823

180.178.62.101:21823

180.178.62.102:21823

182.16.38.250:21823

182.16.38.251:21823

182.16.38.252:21823

182.16.38.253:21823

182.16.38.254:21823

182.16.39.66:21823

182.16.39.67:21823

182.16.39.68:21823

182.16.39.69:21823

182.16.39.70:21823

182.16.49.2:21823

182.16.49.3:21823

182.16.49.4:21823

182.16.49.5:21823

182.16.49.6:21823

182.16.89.122:21823

182.16.89.123:21823

182.16.89.124:21823

182.16.89.125:21823

182.16.89.126:21823

182.16.14.234:21823

182.16.14.235:21823

182.16.14.236:21823

182.16.14.237:21823

182.16.14.238:21823

182.16.33.50:21823

182.16.33.51:21823

182.16.33.52:21823

182.16.33.53:21823

182.16.33.54:21823

182.16.122.114:21823

182.16.122.115:21823

182.16.122.116:21823

182.16.122.117:21823

216.118.242.10:21823

216.118.242.11:21823

216.118.242.12:21823

216.118.242.13:21823

216.118.242.14:21823

声明:本文来自奇安信威胁情报中心,版权归作者所有。文章内容仅代表作者独立观点,不代表士冗科技立场,转载目的在于传递更多信息。如有侵权,请联系 service@expshell.com。