• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Botnets   »   Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools

Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools

  • Posted on:December 1, 2015 at 12:31 am
  • Posted in:Botnets, Malware
  • Author:
    Trend Micro Cyber Safety Solutions Team
0

With the coming holidays also come news of various credit card breaches that endanger the data of many industries and their customers. High-profile breaches, such as that of the Hilton Hotel and other similar establishments, were accomplished using point-of-sale (PoS) malware, leading many to fear digital threats on brick-and-mortar retailers this Thanksgiving, Black Friday, Cyber Monday, and the rest of the holiday season. Researchers also found a broad campaign that uses the modular ModPOS malware to steal payment card data from retailers in the US.

However, from what we have seen, it is not only retailers in the US that are at risk of breaches. Our researchers recently found an early version of a potentially powerful, adaptable, and invisible botnet that seeks out PoS systems within networks. It has already extended its reach to small and medium sized business networks all over the world, including a healthcare organization in the US. We are calling this operation Black Atlas, in reference to BlackPOS, the malware primarily used in this operation.

Operation Black Atlas has been around since September 2015, just in time to plant its seeds before the holiday season. Its targets include businesses in the healthcare, retail, and more industries which rely on card payment systems.

The operation is run by technically sophisticated cybercriminals who are knowledgeable in a variety of penetration testing tools and possess a wide network of connections to PoS malware in the underground market. Its operators built a set of tools much like a Swiss army knife, with each tool offering a different functionality. Malware utilized in Black Atlas included (but were not limited to) variants of Alina, NewPOSThings, a Kronos backdoor, and BlackPOS. BlackPOS, also known as  Kaptoxa, was the malware used during the Target breach in 2013 and attacks on retail accounts in 2014.

Similar to GamaPoS, the Black Atlas operators employed a “shotgun” approach to infiltrate networks as opposed to zeroing in on specific targets. They basically checked available ports on the Internet to see if they can get in, ending up with multiple targets around the world. The following graph shows where these targets are located:

Figure 1. Distribution of Gorynych targets in Operation Black Atlas

So far, the Black Atlas operators have been able to steal user credentials to websites that contain sensitive information, email accounts, and Facebook. The most interesting data we found was that of a live video feed of closed-circuit television (CCTV) cameras in a gasoline station. Either this is taking reconnaissance to another real-time level or the cybercriminals simply captured whatever information is available.

How Operation Black Atlas Works

Our analysis of the attacks against these targets gave us further insights on how the Black Atlas operators seek out PoS systems from networks. In one particular case, which involved a healthcare organization in the US, we found out how the Black Atlas operators operate.

Similar to a targeted attack, Black Atlas involves an intelligence gathering or reconnaissance period where cybercriminals use a set of tools similar to a Swiss army knife to check how best to infiltrate systems. It also involves the use of tools such as brute force or dictionary attack tools, SMTP scanners, and remote desktop viewers. Networks with weak password practices are likely to fall victim to this initial penetration testing stage. Many of these tools are easily downloaded from various sites on the Internet.

Figure 2. Operation Black Atlas infection chain

The cybercriminals will then create a test plan based on the initial probe, and then use a second set of tools to execute the said plan. In the case of the healthcare organization, the Black Atlas operators utilized remote access tools to steal more information and move laterally within the network. The use of remote access tools at this stage depends on how the target environment is configured, with the method of gaining remote access also varying based on the target.

Once inside, cybercriminals then familiarize themselves with the environment. What follows is the introduction of PoS threats, which the cybercriminals source from the operation’s broad Swiss army knife toolbox.The favored way to introduce other tools and threats is via the built-in command-line FTP since antimalware solutions had already blocked the initial site we had reported last September that hosted Katrina and CenterPoS.

Black Atlas operators used the modular botnet Gorynych or Diamond Fox in some installations. Gorynich was used to download a repurposed BlackPOS malware with RAM scraping functionality and upload all the dumped credit card numbers in memory. As the original BlackPOS used a text file to store pilfered credit card data, Gorynych now grabs that text file and does an HTTP POST to complete the data exfiltration:

Figure 3. Gorynych data exfiltration stage

In our next blog entry, we will discuss the steps of our investigation, how cybercriminals retrofitted the new Gorynych backdoor to use BlackPOS, and how the whole operation puts a variety of old and new PoS malware at the cybercriminals’ fingertips to easily gather financial information. We will also provide technical details, best practices, and recommendations to help IT managers and business owners evade or resolve this PoS threat.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Botnetshealthcarepoint-of-salePOSSMB

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information
  • TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
  • Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities
  • Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response
  • Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times

Popular Posts

  • August Patch Tuesday: Update Fixes ‘Wormable’ Flaws in Remote Desktop Services, VBScript Gets Disabled by Default
  • New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
  • Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks
  • TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
  • Trickbot Watch: Arrival via Redirection URL in Spam

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.