• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil

One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil

  • Posted on:April 13, 2015 at 5:00 am
  • Posted in:Bad Sites
  • Author:
    Trend Micro Forward-Looking Threat Research Team
0

We have been able to identify a new point-of-sale (PoS) malware family that has affected more than 100 victim organizations in Brazil. We have dubbed this new malware family as “FighterPOS”. This name is derived from BRFighter, the tool used by the author to create this new threat. This one-man operation has been able to steal more than 22,000 unique credit card numbers.

Its creator appears to have had a long history in carding, payment scams, and malware creation; in addition we believe that this malware author acted independently and without any accomplices or associates. FighterPOS is not cheap. It is currently priced at 18 bitcoins (currently worth around US$5,250). However, its control panel is well-designed and it supports a wide variety of features that may be useful to attackers.

This blog post outlines the behavior of FighterPOS, with more technical details available in our paper entitled FighterPOS: The Anatomy and Operation of a New POS Malware Campaign.

Purchasing

At first glance, the advertisement is not particularly unusual. What piqued our interest was the professional nature of the ad and the malware’s supported features.

Figure 1. Advertisement selling FighterPOS
(Click to enlarge)

The control panel and malware is currently being sold for 18.3823 BTCs, or roughly US$5,250. While this may seem expensive, the opportunity to make that money back is relatively easy. The buyer could potentially resell each credit card received right away, or use it at a later time. If the buyer wants an additional executable and panel instance, the author charges an additional US$800.

Figure 2. FighterPOS Control Panel

The author, who went by the username cardexpertdev, clearly stated in the ad that the executable is not fully undetectable (FUD), stating that the individual will need to use a crypting service to ensure the malware is undetectable by antivirus scanners. This is common when PoS malware is created, and crypting services are traditionally required to bypass many defensive security controls.

FighterPOS was not the only product related to credit card fraud that cardexpertdev was selling. He was also selling credit card numbers, EMV chip recorders, and other similar fraud-related products and tools to other cybercriminals.

Victimology

Data obtained from the C&C servers indicate that FighterPOS has infected approximately 113 PoS terminals, more than 90% of which were found in Brazil. Evidence of system infection in other countries, including the United States, Mexico, Italy, and the United Kingdom was also found.

Figure 3. Distribution of FighterPOS-affected machines

Together, the infected systems have sent 22,112 unique credit card dumps for a single month (late February to early April) to the FighterPOS operator. Many of the victims of FighterPOS are users of Linx MicroVix or Linx POS systems – both popular software suites in Brazil.

FighterPOS Functionality

The functionality of FighterPOS is similar to other PoS malware families we’ve seen in the past. It is capable of collecting credit card track 1, track 2, and CVV codes. The malware also contains a RAM scraping functionality, commonly seen in many PoS malware families. Additionally, its keylogger functionality allows the attacker to log all keystrokes on the infected terminal. The code for the RAM scraping functionality is similar to that found in NewPosThings.

Two malware samples that gained our attention were IE.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809, detected as TSPY_POSFIGHT.SM) and IEx.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809), which both connect to the C&C server located at hxxp://ctclubedeluta.org/.

Both of the samples are written in Visual Basic 6. Although Visual Basic 6 is considered outdated and antiquated, applications written in this language still work, even on fully patched systems.

One may ask why a “new” PoS malware family is built on such an old platform as Visual Basic. We believe that this is because FighterPOS code is not entirely new. Instead, the vnLoader malware (designed for botnets) was modified to add PoS-specific features. It retains its botnet-oriented capabilities, which include:

  • Malware auto-update
  • File download and execution
  • Sending out credit card data
  • Sending out keylogged data
  • Layer 7 or layer 4 DDoS attacks

The DDoS capability effectively turns this POS family into a very flexible and attractive tool for prospective buyers.

Conclusion

FighterPOS is a full-featured piece of malware, carefully developed using strong encryption. It supports multiple ways to talk with its C&C infrastructure. Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines. We currently estimate that each infected machine sends back ten new credit card numbers to the attackers.

We are continuously evaluating this threat, and are still performing research not only on the malware family, but also the C&C infrastructure. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Inspector can use indicators of compromise, C&C servers and sites listed below.

Indicators of Compromise

SHA1 MD5 Compile Time (UTC) Size (in bytes) DDI Detection
0aea8f97ecbd4b9dbdae
336f7310d35af8883bae
b0416d389b0b59776fe4c4ddeb407239 2/4/2015 21:29 618,496 TSPY_POSFIGHT.SM
30628221ab520b3e6d86
9bdeb619ef157103c227
e3db204be71efe8a41d949f2d3fdfa18 3/27/2015 23:01 618,496 TSPY_POSFIGHT.SM
4482823a86dca8613ea5
b7daeca23c950e6d9291
e29d9560b6fcc14290f411eed9f4ff4f 9/8/2014 17:37 143,360 HTTP Download Executable File
76e8b0f54cea080e9321
18cd203b459a479170a8
55fb03ce9b698d30d946018455ca2809 2/10/2015 17:55 618,496 TSPY_POSFIGHT.SM
a106bba216f71f468ae7
28c3f9e1db587500c30b
6cb50f7f2fe6f69ee8613d531e816089 11/24/2014 17:21 178,688 TSPY_POSFIGHT.B
c04b07467a962f34f893
932422ca29f2cfdc938b
e647b892e3af16db24110d0e61a394c8 3/4/2015 20:54 618,496 TSPY_POSFIGHT.SM
fe13b63feb1fee2d8ff2
6368e8e690dd9c19c70c
7b011dea4cc53c1099365e0b5dc23558 2/21/2015 13:37 618,496 TSPY_POSFIGHT.SM
00aec55105f241f49318
8993d1558d7e2aacaafc
af15827d802c01d1e972325277f87f0d 1/28/2015 12:06 614,400 TSPY_POSFIGHT.SM
28157df6c45cf2f6f40c
884ed7e06ab4f2b4d874
361b6fe6f602a771956e6a075d3c3b78 12/19/2014 0:53 581,632 TSPY_POSFIGHT.SM
4411c502f3348233022b
77bb4624ae81c72416af
b99cab211df20e6045564b857c594b71 2/4/2015 16:37 618,496 TSPY_POSFIGHT.SM

We have seen the following C&C servers and sites in use:

  • 69[dot]195[dot]77[dot]74
  • ctclubedeluta[dot]org
  • msr2006[dot]biz
  • sitefmonitor[dot]com
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: FighterPOSpoint of sale malwarePOS malware

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.