Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now seeing new developments in this area—namely, versions for 64-bit and higher.
The 64-bit version is out
Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines. These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.
When the malware installs itself, it follows a specific algorithm to decide which file name to use.
- First, get a base value that is based on the volume serial number and computer name
- Using its own function, it calculates the base value to get the final value
- Finally, select a file name from the output of step #2 mod 5
FileName = Array of FileName[Final Value % 5]
Depending on the output, the file name selected can be:
To maintain persistence, it will register itself as a start item “Java Update Manager” when it starts and would restart another process with “RM” parameters.
Figure 1. The 64-bit NewPoSThings registers itself as Java Update Manager
This new process will then search for VNC’s password, which includes WinVNC, RealVNC, UltraVNC and TightVNC, and this information is acquired immediately.
Figure 2. Building the list of stolen VNC password list. It is also seen to disable security warnings for specific extensions (.exe/.bat/.reg/.vbs)
Figure 3. Disabling security warning for specific file types
Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources.
Main malware routines
After installation, it starts several threads to execute different tasks:
Similar to other RAM scrapers, it enumerates all processes while skipping a whitelist, and searches for a specific pattern. Once it finds a target process, a thread is created to extract credit card numbers from memory. This process, while being simple and straightforward, is not so efficient as there may be a tendency for this RAM scraper to consume all CPU resources if the computer has a lot of running processes.
Figure 4. Process enumeration routine
Figure 5. Process White List
The search pattern is “[0-9]*(=|^).” If a number string is found, it will be validated with “Luhn Algorithm”, and the valid credit card number will be stored in memory and then to the transfer thread.
A hidden window “kl” is created in the background to collect user input. The data will be preserved in memory, and will not be written to a physical file.
Figure 6. Creation of hidden window “kl”
When victim computer is online, this thread will report to its C&C server every 300 seconds, or five minutes.
This thread will check every 600 seconds (or 10 minutes) if the data transfer is ready. Once ready, it will send the data to its C&C server.
For this POS RAM scraper, the method of data exfiltration is via HTTP, and the context really depends on the data being collected.
||Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
||POST, example: cs= aW5zZXJ0&p=Windows+7+64+TEST&m=53852938&v=1.0
The parameters being sent can be of the following –
||Send Stolen VNC Password
||Report Client Information
||OS + Computer Name + Client Version
||Send Log Data
||Key logger + Credit Card Number
(OS Version)+(Platform) +(Computer Name)
Client Version is a fixed value => 1.0, in this case
The 64-bit file we examined has been able to send back version 1.0. In comparison, earlier 32-bit samples (detected as TSPY_POSNEWT.SM or TSPY_POSNEWT.A) did not send back the client file’s version, and the URL format of the C&C was different:
|64-bit v1.0 C&C
||Earlier 32-bit C&C
||http://wordpress-catalogs[dot]com/dkok/ek[dot]php http://91[dot]121[dot]87[dot]188/cms/CMS/ek[dot]php http://62[dot]68[dot]96[dot]173/cdsfh/ek[dot]php
The 64-bit C&C would also be the same URL format that we would see in higher versions, as we would detail below.
The change in the format of the CNCs was not the only observable change as NewPoSThings showed new versions over a couple of few months. Each version had a minor tweak, with the most current version (version 3.0) being the most complex:
||Disables Security Warning: Add “.exe/.bat/.vbs/.reg” to LowRiskOnly in 32-bit version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbOnly in 64-bit version:
Sent back the client version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\x64\Release\jsd_12.2.pdbCompiled within the last 2 weeks of November 2014
|2.1 – 2.3
||Disables Security Warning: Modifying “:Zone.Identifier”PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbSamples seen may have been compiled during December 2014Later versions, possibly generated on January 2015 already had application manifest / compatibility stated for Windows 7, and also used a custom packer.
||Disables Security Warning: Modifying “:Zone.Identifier”PDB path now totally hidden.Application manifest / compatibility stated for Windows 7
Uses a custom packer, added some anti-debugging methods
Samples seen may have been compiled during the last week of January 2015
Currently, we’ve seen repackaging of version NewPoSThings 2.x with additional malware – SHA1: ffd268bf769e0ac0ba0003ae98fb09ab12883da4, currently detected as BKDR_BEZIGATE.AI. This malware is a backdoor type which presents some interesting features:
- First of all, it has a keylogging functionality as well as starting/stopping VNC and web camera:
Figure 7. Features of BKDR_BEZIGATE.AI
- Secondly, it sends feedback to its C&C server on the running processes
The more common approach for PoS malware is to bundle it with potentially unwanted applications (PUA), also known as adware. Packaging this PoS RAM scraper provides additional control over the affected endpoint.
While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports. Together with the recent news on the Los Angeles International Airport (LAX) credit card breach, we believe that our previous write-up about seeing PoS attacks targeting travelers may not be far from the truth. No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round.
This further reinforces the fact that PoS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants. Late 2014 we came out with a blog post that talks about these targets: Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?
Recommendations and Solutions
While Trend Micro already detects this threat, and blocks all C&Cs listed below, the following recommendations may help in this situation:
- Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
- If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
- Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.
Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Endpoint Sensor can use the IP address and port, as well as the YARA rule, listed below.
The indicators below are compiled examples based on the observed threat.
||Size (in bytes)
||Trend Micro Detection
Here is a list of C&C locations observed:
Here is the Yara rule:
rule PoS_Malware_NewPOSThings2015 : newposthings2015
author = “Trend Micro, Inc.”
date = “2015-03-10″
description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
$pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
$pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
$pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
$pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
$string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
$string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
$string2 = “Content-Type: application/x-www-form-urlencoded” wide
$string3 = “Use 64bit version.” wide
$string4 = “SeDebugPrivilege” wide
$string5 = “Java Update Manager” wide
$string6 = “Java\\Javaj.exe” wide
$string7 = “lsass.exe” wide
$string8 = “aW5zZXJ0″
(any of ($pdb*)) or (all of ($str*))
With additional insights and analysis from Kenney Lu and Numaan Huq