Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Jay Yaneza (Threats Analyst)

    Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data. The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.

    Touted as the earliest of its kind, very little research and documentation exists about RawPOS. As such, we will attempt to give light on this threat that may have been instrumental to previous credit card breaches documented and not previously attributed to this particular PoS threat.

    RawPOS, Then and Now

    The earliest reference to RawPOS we came across was around October 2008, with the  Visa Data Security Alert about debugging or parsing memory of point-of-sale systems to extract the full magnetic stripe data from volatile memory. Details from this advisory were observed in other security advisories released in 2008 and 2009.

    The latest security advisory regarding RawPOS was released in March 2015. The advisory talks about its involvement with attacks related to the hospitality industry—a report that matches our own findings.

    Configurable, Modular Design

    RawPOS has a modular design that is highly configurable and has always been a multi-stage scraper. Brought about by pioneers in PoS malware threats, the design they chose has now proven to be enduring till today:

    • The multi-stage or multi-component strategy ensures a high success rate for the chosen environment, while making prevention and detection harder –no matter what type of solution.
    • The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed.
    • It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business.

    Multiple Software Support

    Aside from being multi-component, RawPOS is notable for its support for multiple PoS software. Since business establishments would have different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time. Below is a table showing the different PoS software that is supported by RawPOS.

    Figure 1. Supported PoS software (click the image to enlarge)

    It should be noted that the list is compiled against what Trend Micro had seen in terms of file samples. While this PoS software listing tries to be as complete based on this file samples we have acquired, RawPOS and its components are highly configurable and we can certainly be sure that RawPOS has been modified to adapt to more PoS software.

    Additional analysis by Kenney Lu, Dark Luo, Marvin Cruz and Numaan Huq

    More details about RawPOS, as well as best practices and available Trend Micro solutions, can be found in our RawPOS Technical Brief.

    Posted in Malware | Comments Off on RawPOS: Checking in at a Hotel Near You

    Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now seeing new developments in this area—namely, versions for 64-bit and higher.

    The 64-bit version is out

    Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines. These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.


    When the malware installs itself, it follows a specific algorithm to decide which file name to use.

    1. First, get a base value that is based on the volume serial number and computer name
    2. Using its own function, it calculates the base value to get the final value
    3. Finally, select a file name from the output of step #2 mod 5

    FileName = Array of FileName[Final Value % 5]

    Depending on the output, the file name selected can be:

    • Java\Javaj.exe
    • lsm\lsm.exe
    • svchost\svchost.exe
    • dwm\dwm.exe
    • lsasss\lsasss.exe

    To maintain persistence, it will register itself as a start item “Java Update Manager” when it starts and would restart another process with “RM” parameters.

    Figure 1. The 64-bit NewPoSThings registers itself as Java Update Manager


    This new process will then search for VNC’s password, which includes WinVNC, RealVNC, UltraVNC and TightVNC, and this information is acquired immediately.

    Figure 2. Building the list of stolen VNC password list. It is also seen to disable security warnings for specific extensions (.exe/.bat/.reg/.vbs)

    Figure 3. Disabling security warning for specific file types

     Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources.

    Main malware routines

    After installation, it starts several threads to execute different tasks:

    •  RAM Scraper Thread

    Similar to other RAM scrapers, it enumerates all processes while skipping a whitelist, and searches for a specific pattern. Once it finds a target process, a thread is created to extract credit card numbers from memory. This process, while being simple and straightforward, is not so efficient as there may be a tendency for this RAM scraper to consume all CPU resources if the computer has a lot of running processes.

    Figure 4. Process enumeration routine

    Figure 5. Process White List


    The search pattern is “[0-9]*(=|^).” If a number string is found, it will be validated with “Luhn Algorithm”, and the valid credit card number will be stored in memory and then to the transfer thread.

    • Keylogger Thread

    A hidden window “kl” is created in the background to collect user input. The data will be preserved in memory, and will not be written to a physical file.

     Figure 6. Creation of hidden window “kl”

    • Keep-Alive Thread

    When victim computer is online, this thread will report to its C&C server every 300 seconds, or five minutes.

    • Transfer Thread

    This thread will check every 600 seconds (or 10 minutes) if the data transfer is ready. Once ready, it will send the data to its C&C server.

    Data Exfiltration

    For this POS RAM scraper, the method of data exfiltration is via HTTP, and the context really depends on the data being collected.

    C&C Server:
    Protocol: HTTP
    User-Agent Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
    Method POST, example: cs= aW5zZXJ0&p=Windows+7+64+TEST&m=53852938&v=1.0

    The parameters being sent can be of the following –

    Parameter: cs

    Value Type Remark
    cGFzcw Send Stolen VNC Password TightVNC/WinVNC/UltraWNC/RealVNC
    aW5zZXJ0 Report Client Information OS + Computer Name + Client Version
    bG9n Keep Alive Ping!
    a2xvZw Send Log Data Key logger + Credit Card Number
    •  Parameters: p

    (OS Version)+(Platform) +(Computer Name)

    Parameters: m

    Session ID

    Parameters: v

    Client Version is a fixed value => 1.0, in this case

    • Parameters: ls

    Stolen Data

    The 64-bit file we examined has been able to send back version 1.0. In comparison, earlier 32-bit samples (detected as TSPY_POSNEWT.SM or TSPY_POSNEWT.A) did not send back the client file’s version, and the URL format of the C&C was different:

    64-bit v1.0 C&C Earlier 32-bit C&C
    http://80[dot]82[dot]65[dot]112/connect/2 http://wordpress-catalogs[dot]com/dkok/ek[dot]php http://91[dot]121[dot]87[dot]188/cms/CMS/ek[dot]php http://62[dot]68[dot]96[dot]173/cdsfh/ek[dot]php

    The 64-bit C&C would also be the same URL format that we would see in higher versions, as we would detail below.

    Growing versions

    The change in the format of the CNCs was not the only observable change as NewPoSThings showed new versions over a couple of few months. Each version had a minor tweak, with the most current version (version 3.0) being the most complex:

    Version Changes
    1.0 Disables Security Warning: Add “.exe/.bat/.vbs/.reg” to LowRiskOnly in 32-bit version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbOnly in 64-bit version:
    Sent back the client version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\x64\Release\jsd_12.2.pdbCompiled within the last 2 weeks of November 2014
    2.1 – 2.3 Disables Security Warning: Modifying “:Zone.Identifier”PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbSamples seen may have been compiled during December 2014Later versions, possibly generated on January 2015 already had application manifest / compatibility stated for Windows 7, and also used a custom packer.
    3.0 Disables Security Warning: Modifying “:Zone.Identifier”PDB path now totally hidden.Application manifest / compatibility stated for Windows 7

    Uses a custom packer, added some anti-debugging methods

    Samples seen may have been compiled during the last week of January 2015

    Currently, we’ve seen repackaging of version NewPoSThings 2.x with additional malware – SHA1: ffd268bf769e0ac0ba0003ae98fb09ab12883da4, currently detected as BKDR_BEZIGATE.AI. This malware is a backdoor type which presents some interesting features:

    • First of all, it has a keylogging functionality as well as starting/stopping VNC and web camera:

    Figure 7. Features of BKDR_BEZIGATE.AI

    • Secondly, it sends feedback to its C&C server on the running processes

    The more common approach for PoS malware is to bundle it with potentially unwanted applications (PUA), also known as adware. Packaging this PoS RAM scraper provides additional control over the affected endpoint.

    Affected Parties

    While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports. Together with the recent news on the Los Angeles International Airport (LAX) credit card breach, we believe that our previous write-up about seeing PoS attacks targeting travelers may not be far from the truth. No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round.

    This further reinforces the fact that PoS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants. Late 2014 we came out with a blog post that talks about these targets: Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

    Recommendations and Solutions

    While Trend Micro already detects this threat, and blocks all C&Cs listed below, the following recommendations may help in this situation:

    • Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
    • If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
    • Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.

    Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Endpoint Sensor can use the IP address and port, as well as the YARA rule, listed below.


    The indicators below are compiled examples based on the observed threat.

    SHA1 Compile Time Size (in bytes) Trend Micro Detection Notes
    168,960 TSPY64_POSNEWT.A 64-bit, v1.0
    174,080 TSPY64_POSNEWT.A 64-bit, v2.2
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.2
    154,112 TSPY_POSNEWT.SMA 32-bit, v2.3
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    415,232 TSPY_POSNEWT.SMB 32-bit, v3.0
    414,720 TSPY_POSNEWT.SMB 32-bit, v3.0

    Here is a list of C&C locations observed:

    • http://80[dot]82[dot]65[dot]112/connect/2
    • http://80[dot]82[dot]65[dot]112/connect/5
    • http://80[dot]82[dot]65[dot]112/connect/9
    • http://192[dot]10[dot]10[dot]1/connect/2
    • http://5[dot]39[dot]88[dot]204/connect/2
    • http://80[dot]82[dot]65[dot]23/connect/3
    • http://80[dot]82[dot]65[dot]23/connect/9

    Here is the Yara rule:

    rule PoS_Malware_NewPOSThings2015 : newposthings2015
    author = “Trend Micro, Inc.”
    date = “2015-03-10″
    description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
    $pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
    $pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
    $pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
    $pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
    $string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
    $string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
    $string2 = “Content-Type: application/x-www-form-urlencoded” wide
    $string3 = “Use 64bit version.” wide
    $string4 = “SeDebugPrivilege” wide
    $string5 = “Java Update Manager” wide
    $string6 = “Java\\Javaj.exe” wide
    $string7 = “lsass.exe” wide
    $string8 = “aW5zZXJ0″
    (any of ($pdb*)) or (all of ($str*))

    With additional insights and analysis from Kenney Lu and Numaan Huq

    Posted in Bad Sites | Comments Off on NewPosThings Has New PoS Things

    We have been observing a new malware that infects point-of-sale (POS) systems. This malware may have been active since 2013, possibly earlier. Trend Micro will be naming this new malware family as PwnPOS to differentiate it from other known PoS malware families.

    In this blog post, we will discuss the technical details of this PoS malware. Researchers and incident response teams can add our findings to their growing number of PoS malware indicators.

    Technical Summary

    PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years  due to its simple but thoughtful construction; albeit not being future proof. Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration. While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration.


    This malware family is a RAM scraper service that can install and remove itself via specific arguments. If run without any arguments, it will copy itself to %SystemRoot%\system32\wnhelp.exe, install a service called “Windows Media Help,” and automatically start itself with the -service switch.

    Figure 1. Installed service

    However, if with argument del, it will remove the service without deleting the file.

    Figure 2. Service deletion routine

    Most incident response and malware-related tools attempt to enumerate auto-run, auto-start or items that have an entry within the services applet in attempt to detect malicious files. Thus, having parameters that add and remove itself from the list of services allows the attacker to “remain persistent” on the target POS machine when needed, while allowing the malicious file to appear benign as it waits within the %SYSTEM$ directory for the next time it is invoked.

    There are a few caveats about the malware’s installation routine:

    1. The Windows OS’ User Account Control feature (available since Windows Vista) is able to block its execution. The initial launch would be stored in %SystemRoot%\system32\DebugConsole.log and upon execution, it checks for administrator privilege. If it determines that the user session does not have administrator privilege, then it would output an error ERRLOG:error: not admin user.
    2. The file exe requires being within %SystemRoot%\system32 as the service it creates uses this path to the executable C:\WINDOWS\system32\wnhelp.exe -service. If executed within a 64-bit Operating System, the executed would be stored within C:\Windows\SysWOW64\ and thus the service itself fails to start.

    The above-mentioned caveats may be a non-issue since a good majority of PoS terminals are still running on Windows XP and there is no pressing need for 64-bit operating system installations in these kinds of systems. Read the rest of this entry »


    Last year, we detected some new PoS malware just before the holiday season.  At that time, we omitted mentioning one fact – that the file was digitally signed with a valid certificate. Our research shows that these attacks targeting PoS malware are growing in sophistication, with code signing and improved encryption becoming more commonplace. We were also able to connect this PoS malware to the group involved with the Anunak malware—which is related to the Carbanak gang as posted by our colleagues over at Fox-IT.

    Figure 1. Sample with valid digital signature (taken on November 27, 2014)

    Malware code signing has increased in recent years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software. In this case, the attackers went through the whole process of requesting a digital certificate to sign the binary from a known certificate authority. COMODO, the issuer of this certificate, has since revoked the signing certificate.

    With this in mind, we began searching for additional components of this binary. This blog entry adds context to our our original blog post published last year.

    Carefully crafted binaries

    Based on other PoS malware that we have observed, we knew that this should be a multicomponent malware. As such, over the next couple of months after this incident, we have been monitoring this threat – one that caught our interest was a file with the SHA1 hash d8e79a7d21a138bc02ec99cfb9dc59e2e0cedf09. We noted some important things about this particular file:

    1. First, the file itself was signed similarly: used the same name, email and certificate authority.
    2. Secondly, the file construction was just too careful for standard malware that we see on a daily basis.

    Analysis of the file showed that it has its own encryption method that cannot be identified by common tools and it only decrypts the necessary code, which is destroyed after being used. Another interesting thing is that the GetProcAddress API was used (which is almost abandoned nowadays). It uses a brute force way to search the PE header table and calls NT* functions.

    Read the rest of this entry »


    The remote access tool (RAT) HAVEX became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting.

    The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems.

    First 64-bit HAVEX Sighting

    Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.

    Figure 1. File installation chain

    This is interesting because we’re seeing three indicators of BKDR_HAVEX:

    • The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
    • A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
    • C&C communication from the host and back

    Figure 2. The dropped file detected as BKDR_HAVEX.SM

    A Closer Look at the First 64-bit HAVEX Sighting

    To better understand how these two files (TMPProvider023.dll and 34CD.tmp.dll) work, we need to determine the other files that were related to the infection chain. With this, we noticed two other dropped files.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice