We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.
The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.
Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.
It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.
The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.
Figure 1. CreateToolhelp32Snapshot to enumerate processes
Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.
Figure 2. Screenshot of reading process memory
Figure 3. Logging of data
It has an exclusion list that functions to ignore certain processes where track data is not found. It gathers track data by scanning the memory of the all running processes except for the following:
- smss.exe
- csrss.exe
- wininit.exe
- services.exe
- lsass.exe
- svchost.exe
- winlogon.exe
- sched.exe
- spoolsv.exe
- System
- conhost.exe
- ctfmon.exe
- wmiprvse.exe
- mdm.exe
- taskmgr.exe
- explorer.exe
- RegSrvc.exe
- firefox.exe
- chrome.exe
This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).
In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.
Data Exfiltration Mechanism
The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:
Figure 4. Screenshot of command used to transfer data
The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on 10.44.2.153 drive D.
In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.
Countermeasures
PoS malware can possibly arrive on the affected network via the following means:
- Targeting specific servers by point of entry and lateral movement
- Hacking network communication
- Infect machine before deployment
As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.
Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.
The related hash to this threat is b57c5b49dab6bbd9f4c464d396414685.
With additional analysis from Numaan Huq
Update as of 9:44 AM, September 8, 2014
During the course of our investigation, we spotted the following anti-American messages embedded in the binary:
Figure 5. Screenshot of the messages embedded in the binary
(Click image above to enlarge)
Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.
Update as of 2:27 PM, September 11, 2014
Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.
It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.” This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.
