NewPosThings Has New PoS Things

Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now seeing new developments in this area—namely, versions for 64-bit and higher.

The 64-bit version is out

Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines. These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.

Installation

When the malware installs itself, it follows a specific algorithm to decide which file name to use.

1. First, get a base value that is based on the volume serial number and computer name
2. Using its own function, it calculates the base value to get the final value
3. Finally, select a file name from the output of step #2 mod 5

FileName = Array of FileName[Final Value % 5]

Depending on the output, the file name selected can be:

• Java\Javaj.exe
• lsm\lsm.exe
• svchost\svchost.exe
• dwm\dwm.exe
• lsasss\lsasss.exe

To maintain persistence, it will register itself as a start item “Java Update Manager” when it starts and would restart another process with “RM” parameters.

Figure 1. The 64-bit NewPoSThings registers itself as Java Update Manager

 

This new process will then search for VNC’s password, which includes WinVNC, RealVNC, UltraVNC and TightVNC, and this information is acquired immediately.

Figure 2. Building the list of stolen VNC password list. It is also seen to disable security warnings for specific extensions (.exe/.bat/.reg/.vbs)

Figure 3. Disabling security warning for specific file types

 Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources.

Main malware routines

After installation, it starts several threads to execute different tasks:

•  RAM Scraper Thread

Similar to other RAM scrapers, it enumerates all processes while skipping a whitelist, and searches for a specific pattern. Once it finds a target process, a thread is created to extract credit card numbers from memory. This process, while being simple and straightforward, is not so efficient as there may be a tendency for this RAM scraper to consume all CPU resources if the computer has a lot of running processes.

Figure 4. Process enumeration routine

Figure 5. Process White List

 

The search pattern is “[0-9]*(=|^).” If a number string is found, it will be validated with “Luhn Algorithm”, and the valid credit card number will be stored in memory and then to the transfer thread.

• Keylogger Thread

A hidden window “kl” is created in the background to collect user input. The data will be preserved in memory, and will not be written to a physical file.

 Figure 6. Creation of hidden window “kl”

• Keep-Alive Thread

When victim computer is online, this thread will report to its C&C server every 300 seconds, or five minutes.

• Transfer Thread

This thread will check every 600 seconds (or 10 minutes) if the data transfer is ready. Once ready, it will send the data to its C&C server.

Data Exfiltration

For this POS RAM scraper, the method of data exfiltration is via HTTP, and the context really depends on the data being collected.

C&C Server:	80.82.65.112:80
Protocol:	HTTP
User-Agent	Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
Method	POST, example: cs= aW5zZXJ0&p=Windows+7+64+TEST&m=53852938&v=1.0

The parameters being sent can be of the following –

Parameter: cs

Value	Type	Remark
cGFzcw	Send Stolen VNC Password	TightVNC/WinVNC/UltraWNC/RealVNC
aW5zZXJ0	Report Client Information	OS + Computer Name + Client Version
bG9n	Keep Alive	Ping!
a2xvZw	Send Log Data	Key logger + Credit Card Number

•  Parameters: p

(OS Version)+(Platform) +(Computer Name)

Parameters: m

Session ID

Parameters: v

Client Version is a fixed value => 1.0, in this case

• Parameters: ls

Stolen Data

The 64-bit file we examined has been able to send back version 1.0. In comparison, earlier 32-bit samples (detected as TSPY_POSNEWT.SM or TSPY_POSNEWT.A) did not send back the client file’s version, and the URL format of the C&C was different:

64-bit v1.0 C&C	Earlier 32-bit C&C
http://80[dot]82[dot]65[dot]112/connect/2	http://wordpress-catalogs[dot]com/dkok/ek[dot]phphttp://91[dot]121[dot]87[dot]188/cms/CMS/ek[dot]phphttp://62[dot]68[dot]96[dot]173/cdsfh/ek[dot]php

The 64-bit C&C would also be the same URL format that we would see in higher versions, as we would detail below.

Growing versions

The change in the format of the CNCs was not the only observable change as NewPoSThings showed new versions over a couple of few months. Each version had a minor tweak, with the most current version (version 3.0) being the most complex:

Version	Changes
1.0	Disables Security Warning: Add “.exe/.bat/.vbs/.reg” to LowRiskOnly in 32-bit version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbOnly in 64-bit version: Sent back the client version:PDB:C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\x64\Release\jsd_12.2.pdbCompiled within the last 2 weeks of November 2014
2.1 – 2.3	Disables Security Warning: Modifying “:Zone.Identifier”PDB:C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbSamples seen may have been compiled during December 2014Later versions, possibly generated on January 2015 already had application manifest / compatibility stated for Windows 7, and also used a custom packer.
3.0	Disables Security Warning: Modifying “:Zone.Identifier”PDB path now totally hidden.Application manifest / compatibility stated for Windows 7 Uses a custom packer, added some anti-debugging methods Samples seen may have been compiled during the last week of January 2015

Currently, we’ve seen repackaging of version NewPoSThings 2.x with additional malware – SHA1: ffd268bf769e0ac0ba0003ae98fb09ab12883da4, currently detected as BKDR_BEZIGATE.AI. This malware is a backdoor type which presents some interesting features:

• First of all, it has a keylogging functionality as well as starting/stopping VNC and web camera:

Figure 7. Features of BKDR_BEZIGATE.AI

• Secondly, it sends feedback to its C&C server on the running processes

The more common approach for PoS malware is to bundle it with potentially unwanted applications (PUA), also known as adware. Packaging this PoS RAM scraper provides additional control over the affected endpoint.

Affected Parties

While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports. Together with the recent news on the Los Angeles International Airport (LAX) credit card breach, we believe that our previous write-up about seeing PoS attacks targeting travelers may not be far from the truth. No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round.

This further reinforces the fact that PoS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants. Late 2014 we came out with a blog post that talks about these targets: Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

Recommendations and Solutions

While Trend Micro already detects this threat, and blocks all C&Cs listed below, the following recommendations may help in this situation:

• Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
• If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
• Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.

Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Endpoint Sensorcan use the IP address and port, as well as the YARA rule, listed below.

Indicators

The indicators below are compiled examples based on the observed threat.

SHA1	Compile Time	Size (in bytes)	Trend Micro Detection	Notes
c812ef85fcc5da10590b2282a424797ef396b709	2014-11-20 18:08:29	168,960	TSPY64_POSNEWT.A	64-bit, v1.0
cb9bd8b694959d9c0b5885b1b032f6b08a7a4954	2014-12-06 16:24:51	174,080	TSPY64_POSNEWT.A	64-bit, v2.2
244c732db566bbc3da980d0ecdb3366c76afe79e	2014-12-01 07:28:30	184,320	TSPY_POSNEWT.SMA	32-bit, v2.1
a3a80891a498080f38c271e0d8196b0545610257	2014-12-02 06:50:03	153,600	TSPY_POSNEWT.SMA	32-bit, v2.1
73f867c199caa883dc696cd9c30209f96f8950cd	2014-12-02 13:27:16	153,600	TSPY_POSNEWT.SMA	32-bit, v2.1
326554562f9c3f6e7a2c5db023b1e9bc4df7b284	2014-12-06 17:20:37	184,320	TSPY_POSNEWT.SMA	32-bit, v2.1
d95900e134bad3d8f86127fd9dcc5adb76a3247e	2014-12-06 16:23:15	153,600	TSPY_POSNEWT.SMA	32-bit, v2.2
43d611650baff0a4280c53347cf37c2c4c911158	2014-12-30 16:01:46	154,112	TSPY_POSNEWT.SMA	32-bit, v2.3
660f10d50e2c3fc965d1ce5f8db3c1169f330a29	2015-01-25 21:36:02	432,128	TSPY_POSNEWT.SMB	32-bit, v2.3
b47b74dd253f0a158008986c82d425d674304c3a	2015-01-26 19:29:49	432,128	TSPY_POSNEWT.SMB	32-bit, v2.3
89c32b05e1deb60363c65ffdff4ca31b391f8d25	2015-01-28 11:57:27	415,232	TSPY_POSNEWT.SMB	32-bit, v3.0
ac57c375cad5803f16aa7afb8e9446b9310cde7d	2015-01-29 13:13:45	414,720	TSPY_POSNEWT.SMB	32-bit, v3.0

Here is a list of C&C locations observed:

• http://80[dot]82[dot]65[dot]112/connect/2
• http://80[dot]82[dot]65[dot]112/connect/5
• http://80[dot]82[dot]65[dot]112/connect/9
• http://192[dot]10[dot]10[dot]1/connect/2
• http://5[dot]39[dot]88[dot]204/connect/2
• http://80[dot]82[dot]65[dot]23/connect/3
• http://80[dot]82[dot]65[dot]23/connect/9

Here is the Yara rule:

rule PoS_Malware_NewPOSThings2015 : newposthings2015
{
meta:
author = “Trend Micro, Inc.”
date = “2015-03-10″
description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
strings:
$pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
$pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
$pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
$pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
$string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
$string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
$string2 = “Content-Type: application/x-www-form-urlencoded” wide
$string3 = “Use 64bit version.” wide
$string4 = “SeDebugPrivilege” wide
$string5 = “Java Update Manager” wide
$string6 = “Java\\Javaj.exe” wide
$string7 = “lsass.exe” wide
$string8 = “aW5zZXJ0″
condition:
(any of ($pdb*)) or (all of ($str*))
}

With additional insights and analysis from Kenney Lu and Numaan Huq