{ "Event": { "analysis": "1", "date": "2025-04-22", "extends_uuid": "", "info": "[Threat Intel] NFC Fraud Wave: Evolution of Ghost Tap on the Dark Web", "protected": false, "publish_timestamp": "1780041136", "published": true, "threat_level_id": "2", "timestamp": "1772902049", "uuid": "009411a0-9eda-4385-bee0-d08e40a9d1ce", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0bbdc3", "local": false, "name": "misp-galaxy:target-information=\"New Zealand\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#3b9849", "local": false, "name": "misp-galaxy:target-information=\"Saudi Arabia\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#a24b57", "local": false, "name": "misp-galaxy:target-information=\"United Arab Emirates\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:financial-fraud=\"ATM skimming\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:financial-fraud=\"CNP \u2013 Card Not Present\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:financial-fraud=\"Compromised Account Credentials\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:financial-fraud=\"Compromised Payment Cards\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1745449037", "to_ids": false, "type": "link", "uuid": "008a7168-a1ec-4aad-954d-027953961e56", "value": "https://www.resecurity.com/blog/article/nfc-fraud-wave-evolution-of-ghost-tap-on-the-dark-web" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1745449037", "to_ids": false, "type": "text", "uuid": "20b0a9cb-2048-45dd-8dda-7de569575155", "value": "Chinese cybercriminals are exploiting NFC technologies for fraudulent purposes, targeting financial institutions and consumers worldwide. They use sophisticated tools like Z-NFC and King NFC to facilitate illegal transactions at scale. The fraudsters leverage Host Card Emulation (HCE) to mimic physical NFC smart cards and create 'farms' of mobile devices to automate fraud. They target countries including the US, UK, EU, Australia, Canada, and others. The criminals also abuse NFC-enabled POS terminals and exploit loyalty points programs. This growing threat has led to significant financial losses and poses serious risks to payment security and digital identity systems globally." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1745449037", "to_ids": false, "type": "text", "uuid": "0ca990f2-d84e-4c64-919d-11122f187722", "value": "Name: NFC Fraud Wave: Evolution of Ghost Tap on the Dark Web\nAuthor: AlienVault\nAdversary: Chinese cybercriminal groups\nTags: [\"carding\", \"mobile wallets\", \"pos terminals\", \"contactless payments\", \"loyalty points fraud\", \"track2nfc\", \"nfc fraud\", \"ghost tap\", \"king nfc\", \"ngate\", \"host card emulation\", \"z-nfc\"]\nTgtd countries: [\"United States of America\", \"Australia\", \"Canada\", \"China\", \"Japan\", \"Malaysia\", \"New Zealand\", \"Philippines\", \"Saudi Arabia\", \"Taiwan\", \"United Arab Emirates\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: [\"NGate\", \"Track2NFC\", \"Z-NFC\", \"King NFC\"]\nAttack_ids: [\"T1557\", \"T1204.002\", \"T1553.002\", \"T1555\", \"T1528\", \"T1547.001\", \"T1588.002\", \"T1059.004\", \"T1027\", \"T1027.002\"]\nIndustries: [\"Finance\", \"Retail\", \"Transportation\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1745449037", "to_ids": false, "type": "threat-actor", "uuid": "643ec632-a467-448e-a04f-e1ebd27a4255", "value": "Chinese cybercriminal groups" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1745767190", "to_ids": true, "type": "url", "uuid": "286d0791-7118-4464-8eec-eb299ffd04a6", "value": "https://znfcqwe.top/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1745748177", "to_ids": true, "type": "domain", "uuid": "1b242f88-215d-464c-a495-4418a513b033", "value": "znfcqwe.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1745748198", "uuid": "6907cac7-3e2e-4bbb-8b7c-2c7d1979da2a", "Attribute": [ { "category": "Payload delivery", "comment": "Z-NFC", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1745748198", "to_ids": true, "type": "md5", "uuid": "400d0ac6-6b2b-4cd9-abc2-bf068530d51f", "value": "844ef02b3ac1c81342fe2f0afa9092d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Z-NFC", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1745746381", "to_ids": true, "type": "sha1", "uuid": "6084cad3-2d2c-4ac9-a92b-c3e8c7bb9e55", "value": "c0850367cf4bfb038aaa332685f73ac3d1e9ad10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Z-NFC", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1745746381", "to_ids": true, "type": "sha256", "uuid": "9fcd2e07-ff6b-4b69-9da6-47de916e9882", "value": "1663a67a95612552caf850604657ddc508161a1fb2a25144abffec8c5213a77b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1745746380", "to_ids": true, "type": "ssdeep", "uuid": "c961cde8-974e-4428-8916-fccabcc23f2e", "value": "786432:kyMtnBGY5cjPXn7n/S4t2qkeJk10r47mpSZoJDNAmn:kTtBn8v7/xtm+zAmgZoJBf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1745746380", "to_ids": false, "type": "size-in-bytes", "uuid": "3125fb9d-c4d8-43d5-ad1e-e43738485fe4", "value": "29953181" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1745746380", "to_ids": true, "type": "vhash", "uuid": "b39ee2f5-7302-4b3a-9dae-b981d2b7db90", "value": "861163c641ffda5c53c3945d01fb4d7d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1745746380", "to_ids": true, "type": "filename", "uuid": "eedd732f-0449-4793-8a28-e1b6c0c60441", "value": "1663a67a95612552caf850604657ddc508161a1fb2a25144abffec8c5213a77b.apk" }, { "category": "Other", "comment": "Checked: 27/04/2025\nLast-scan\t: 25/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1745746381", "to_ids": false, "type": "text", "uuid": "640a9954-0c9b-49d1-9f57-4aad0b480e06", "value": "Z-NFC\r\nType Description: Android\nMicrosoft: None\nVT Total Detection:5/69\nFirst Submission:2024-12-26T08:25:13.000000+00:00\nLast Submission:2025-04-17T18:06:56.000000+00:00" } ] } ] } }