BlackHatOfficialYT Unveils In-Depth Analysis of Fake Trading Scam in South Korea

In this video, Yunyang Kim and Suk Jang of BlackHatOfficialYT present an in-depth analysis of a fake trading program scam in South Korea. They explain how they tracked this fraud and the crucial discoveries that helped secure the country's financial and IT environment. The scam in question exploits the trend of the stock market boom in South Korea, amplified by the COVID-19 pandemic. The scammers use fictitious trading systems to steal money, a method similar to the "ransomware as a service" model where software providers and their affiliates collaborate to execute crimes. Analysts discovered screenshots exposed via directory listings, revealing suspicious management interfaces and group conversations. These clues helped identify criminal teams and communication ports. Several operational errors by the criminals were highlighted. The first and most critical was the exposure of screenshots due to misconfiguration, including screenshots of criminals. In another case, a criminal's device used for daily activities revealed personal information, such as games requiring identity verification. Additionally, sensitive information was exposed during software development, such as server credentials and development environments. To track the criminals, the team automatically and programmatically collected screenshots, limiting download speed to avoid detection. They filtered known targets and used pattern matching techniques to identify specific tools. By analyzing the screenshots, they discovered information about various development environments and infrastructures. They also identified suspicious servers through port assignment schemes and DNS histories, and tracked changes in IP addresses and web page updates. The analysis revealed that the criminals used code signing certificates to sign the installers, and sometimes forgot to use domain protection services, which allowed additional information to be discovered. The entire fraud process was unveiled, showing a complex command chain involving providers and affiliates based in South Korea and Japan. The affiliates used lists of phone numbers and remote control applications to lure victims into chat rooms and entice them to invest in the fictitious trading system. Suk Jang then explained the results of his analysis of the fake trading programs, observing evolutionary changes such as modifications in code signing certificates and obfuscation techniques. The screenshots revealed backend processes not identifiable through reverse engineering of the program. The developers used APIs to configure database settings, allowing dynamic interaction between the client and server. The operation was named "Operation By Das" due to the presence of author strings in the PDB. The developers applied code obfuscation techniques to mask their activities. The program referenced an XML file containing a unique code for HTS, allowing server addresses to be mapped. Users were not informed that their screens were being captured, and operators used an administration program to monitor users and add them to a blacklist if they made high profits. In response to these discoveries, the team identified 125 fraudulent HTS programs and created detection tools like Yara and Snort. They shared the detected threats with financial companies and coordinated with national agencies to block fraudulent domains. This operation led to the arrest of 32 members of the criminal organization. The lessons learned include the presence of many undiscovered cybercrime clusters, the importance of contextual literacy and continuous monitoring of external threats, and the extensive use of generative AI by criminals. This information is crucial for securing the financial and IT environment in South Korea and elsewhere. For more details, you can access the detailed report of this campaign via the QR code provided in the video.