Last year, we detected some new PoS malware just before the holiday season. At that time, we omitted mentioning one fact – that the file was digitally signed with a valid certificate. Our research shows that these attacks targeting PoS malware are growing in sophistication, with code signing and improved encryption becoming more commonplace. We were also able to connect this PoS malware to the group involved with the Anunak malware—which is related to the Carbanak gang as posted by our colleagues over at Fox-IT.
Figure 1. Sample with valid digital signature (taken on November 27, 2014)
Malware code signing has increased in recent years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software. In this case, the attackers went through the whole process of requesting a digital certificate to sign the binary from a known certificate authority. COMODO, the issuer of this certificate, has since revoked the signing certificate.
With this in mind, we began searching for additional components of this binary. This blog entry adds context to our our original blog post published last year.
Carefully crafted binaries
Based on other PoS malware that we have observed, we knew that this should be a multicomponent malware. As such, over the next couple of months after this incident, we have been monitoring this threat – one that caught our interest was a file with the SHA1 hash d8e79a7d21a138bc02ec99cfb9dc59e2e0cedf09. We noted some important things about this particular file:
- First, the file itself was signed similarly: used the same name, email and certificate authority.
- Secondly, the file construction was just too careful for standard malware that we see on a daily basis.
Analysis of the file showed that it has its own encryption method that cannot be identified by common tools and it only decrypts the necessary code, which is destroyed after being used. Another interesting thing is that the GetProcAddress API was used (which is almost abandoned nowadays). It uses a brute force way to search the PE header table and calls NT* functions.
During installation, the .text section is reused by the unpack code and installation, as seen below:
Figure 2. Section reuse
It then starts the host process svchost.exe with the parameters -k netsvc, with a suspended status. Once done, it proceeds to prepare a decrypted PE image file which can be written into memory. If everything is ready, it calls the NT* function to write the PE image into the host’s process memory, set the thread context and resume the thread. Finally, the PE image in memory is destroyed immediately.
Figure 3. CreateProcess with suspended creation state
Figure 4. Decrypted PE image file in memory
While the PE image loaded in memory can be dumped to file, the string and API calls are still protected and it’s not straight forward to decipher. A decoder table was necessary to understand the inner working of the file, as shown below:
Figure 5. Decoder table
Using homemade decryption tools, the following functionality was discovered:
- Two fixed C&C Servers: 18.104.22.168 (ports 80 and 443), and 22.214.171.124 (port 443)
- Searching for the NSB Retail System Logs at C:\NSB\Coalition\Logs and nsb.pos.client.log
- Searching of files with the following extensions:
- The use of VNC and Remote Desktop
- Modifying the settings of the Windows firewall to give itself network access
- Database connectivity
- Reference to mimikatz – a tool to recover clear text passwords from LSASS
- Encryption and decryption routines
- Keylogging functionality
Targeting the Top PoS Vendor: Epicor
This was not your run-of-the-mill malware. It was a point-of-sale (PoS) malware that expliclty targeted the Epicor/NSB PoS system. Epicor was recently recognized as the top vendor of PoS software and leader in number of accounts and revenue over other top PoS vendors.
A second look at the binary indicates that this particular file is related to the CARBERP banking family of Trojans, whose source code was leaked around 2013. In particular, this file had the following CARBERP plugins:
- plug and vnc.plug – VNC Plugin
- plug – iFOBS remote banking system
- plug – Ammy Remote Desktop Plugin
We went back and cross-referenced other files to look for other complex malware samples that could be linked to this particular sample. We came across another one (SHA1 hash: a0527db046665ee43205f963dd40c455219beddd) which shared almost similar complexity. Some of the significant characteristics are listed below:
- Drops a file called ms*.exe and creates a startup item under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run key.
Figure 6. Created registry entry
Aside from this, it changes the Zone.Identifier alternate data stream to avoid the pop-up warning:
Figure 7. Alternate data stream
- It attempts to acquire elevated privileges via SeRestorePrivilege, SeBackUpPrivilege, and SeDebugPrivilege. Privileges like these allows the caller all access to the process, including the ability to call TerminateProcess(), CreateRemoteThread(), and other potentially dangerous API calls on the target process.
- It also has anti-debugging functions, and has its own dynamic unpacking code:
- Unpack code into .txt and jump back
- Allocate a block memory in 0x7FF90000 (almost reach user mode limitation)
- Unpack code into 0x7FF90000 and jump to here
- C&C server communication
Using feedback provided by our Smart Protection Network, we looked for other threats that were similar to these two samples.
A quick evolution
We saw a file that was similar to the above files located in C:\Windows\SysWOW64 (for Windows 64-bit) and C:\Windows\System32 (for Windows 32-bit). The difference, however, was that it was for a DLL file (SHA1 hash: CCAD1C5037CE2A7A39F4B571FC10BE213249E611).
Careful analysis revealed that, although compiled as a DLL file, it just uses the same cipher as the earlier samples. However, here a different C&C server was used (126.96.36.199:443). This change may have been an attempt to evade analysis, as some automated analysis tools do not process DLLs since they cannot be directly executed.
Figure 8. Decoder table
These indicators show that these file(s) were the work of a fairly sophisticated group of attackers.
Who’s responsible for this?
As it turns out, we can attribute this to the European APT group that uses Anunak malware, which was previously reported by Group-IB and Fox-IT.
Our research leads us to believe that the files listed below could be used in similar campaigns within the United States and Canada:
|SHA1||Compile Time||TM Detection||Possible Usage|
|a0527db046665ee43205f963dd40c455219beddd||2014-08-15 02:51:44||TSPY_POSLOGR.L||Persistence, C&C module|
|d7fb2303d03081df3f960b416b5263ba69c807a5||2014-08-17 04:11:04||TSPY_POSLOGR.K||Asset/Data discovery|
|5c0451af37313f595a496491fcf7b4d84417e01d||2014-09-14 14:23:42||HKTL_MIKATZ||Credential harvesting, lateral movement|
|98729874bfe8a86c3d481b857aea3fd1faa3783d||2014-09-22 08:29:54||TSPY_POSLOGR.L||Dropper, C&C module|
|205059658fa96fda3f6679b4bc92010a507f4fca||2014-11-17 13:00:26||TSPY_POSLOGR.K||Data stealing, Asset/Data discovery|
|d8e79a7d21a138bc02ec99cfb9dc59e2e0cedf09||2014-11-10 07:24:08||TSPY_POSLOGR.K||Keylogging, backdoor and data exfiltration|
|CCAD1C5037CE2A7A39F4B571FC10BE213249E611||2037-09-12 01:50:47||TSPY_POSLOGR.L||Keylogging, backdoor and data exfiltration|
|989fd64b70e13e8be87d6f6247a8fed257540c66||2014-10-24 09:10:25||TSPY_POSLOGR.K||Data stealing, C&C Module|
|36fb1ee04af319c4b5d7947b0febc377c4014c76||2014-09-14 14:23:42||HKTL_MIKATZ||Credential harvesting, lateral movement|
|828c613b85faa70d7e3c83ccfb4fe21fc18b3cfc||2014-10-24 09:03:04||TSPY_POSLOGR.K||Data stealing, C&C Module|
|62a57603df2f720110c793ea8c09539bc1151087||2014-03-11 00:58:36||N/A – this is a versionof SoftPerfect Network Scanner||Legitimate file, but can be used for lateral movement|
|5fa2a0639897a42932272d0f0be2ab456d99a402||2099-08-31 10:35:34||TSPY_POSLOGR.K||Keylogging, backdoor and data exfiltration|
|3d1f03517a93eb829753e156a64365cf9e2e8b3d||2014-11-07 10:43:00||TSPY_POSLOGR.K||Keylogging, backdoor and data exfiltration|
|e525798581e738db0ce82ab144f9fd46f91953c9||2014-08-17 04:11:04||TSPY_POSLOGR.K||Asset/Data discovery|
|370e02e4f0d90bdfafe6e909b8249d780c4a41aa||2014-10-09 18:11:36||TSPY_POSLOGR.K||Dropper, C&C module|
|1bbcc9ba8d4ce5a1c6ca0c757d826e39619f94c0||2014-11-06 19:51:45||TSPY_POSLOGR.K||Data stealing, Asset/Data discovery|
Table 1. List of hashes and detection names
|SHA1||[C&C domain | IP address] : port||Notes|
|a0527db046665ee43205f963dd40c455219beddd||klaraplara.infovlasinkak.infoanrduha.infovladivkansada.info||Creation date: 2014-07-21
Creation date: 2014-07-21
Creation date: 2014-07-21
Creation date: 2014-07-21Only name resolution (DNS) was performed by the file.
|989fd64b70e13e8be87d6f6247a8fed257540c66||188.8.131.52:443||File originally connected to hxxp://184.108.40.206/vdQ1|
Table 2. List of hashes and C&C servers
It should be noted that there are two files listed here (5fa2a0639897a42932272d0f0be2ab456d99a402 and CCAD1C5037CE2A7A39F4B571FC10BE213249E611) have fake compile time dates, which is a visible attempt to mask the file’s validity.
According to the certificate revocation list, the certificates used to sign these malicious files were revoked on August 05, 2014.
Figure 9. Certificate Revocation List
However, the files were still signed with the certificates beyond that date. Here is the list of the files with digital certificates, and their signing time:
|Digital Certificate||File (sha1)||Link date|
|Serial Number: 2C 75 BA 23 12 ED BD 2E 6A 5A 5A FF 77 48 F1 0C||989FD64B70E13E8BE87D6F6247A8FED257540C66||10/24/2014 22:10|
|Thumbprint: 4B49E7698615732941AD4789FBACB989B639E301||D8E79A7D21A138BC02EC99CFB9DC59E2E0CEDF09||11/10/2014 21:24|
|Algorithm: SHA1||98729874BFE8A86C3D481B857AEA3FD1FAA3783D||9/22/2014 21:29|
Table 3. Time and date of malware signing
Trend Micro already detects all files listed above, where applicable. We would also like to recommend these steps in order to catch these kinds of attacks earlier:
- Audit accounts for failed/irregular logins. As seen by one of the tools used in this campaign, a password/credential dumper was used. If a user account was suddenly seen accessing a resource that looked unusual, then this may be a sign.
- Audit network log for abnormal connections. A network scanner was also used in this campaign, which can be used to enumerate a host’s resources. A passive network scanner, which observes anomalies in network traffic, can be used to flag these events and is often a built-in functionality of a breach detection system.
- Study warnings from security solutions. If you see a combination of hacking tools, backdoors and Trojans on a particular host, it may be efficient to acquaint oneself if these detections should be of an immediate concern – or not. In today’s world where there are just a lot of malware being seen in a daily basis, it is important to note which malware could severely affect your business.
For a full list of things to check, you can refer to 7 Places to Check for Signs of a Targeted Attack in Your Network.
To learn more about PoS RAM scraper malware, you can refer to our previous research paper titled PoS RAM Scraper Malware: Past, Present and Future.
Additional information and analysis by Abraham Camba, Jane Hsieh, and Kenney Lu.