In-depth analysis of new poser Trojan LogPOS

In-depth analysis of new poser Trojan LogPOS

 

In recent years, POS malware activities have been frequent. This article analyzes a new member LogPOS sample found in 2015. An important feature of the malware is that it uses the mail slot to avoid traditional detection mechanisms.

In addition, in this sample, the main program creates a mail slot and acts as a mail slot server, while the code injected into each process acts as the client, they write the obtained credit card numbers into the mail slot and then directly transmit the data through the mail slot.

Preface

Prior to this, there was already a malicious activity of POS malware.

In 2014, Jeremy Humble and I discovered two unexposed POS malware families, and then in 2015 we discovered a new family of POS malware. The detected malware is named "LogPOS", which is significantly different from the POS malware found in the previous period.

In the subsequent sections of this article, we will analyze LogPOS in detail. The hash value of this sample is:

af13e7583ed1b27c4ae219e344a37e2b。

Popular Science: Mailslots)

In Windows, there are several methods for inter-process communication. Mailslots is one of them.

The mail slot provides one-way communication between processes. Any process can establish a mail slot as a mail slot server. Other processes, called mail slot customers, can send messages to the mail slot server process by the name of the mail slot. The incoming message is kept in the mail slot until the server process reads it. A process can be either a mail slot server or a mail slot customer. Therefore, multiple mail slots can be established to implement bidirectional communication between processes.

You can use the mail slot to send messages to the mail slots on the local computer, the mail slots on other computers, or the mail slots with the same name on all computers in the specified network area. The length of a message for a broadcast communication cannot exceed 400 bytes. The length of a non-broadcast message is limited by the maximum message length specified by the mail slot server.

The mail slot is similar to the named pipe, but it transmits data through unreliable datagram (such as UDP packets in TCP/IP protocol, once a network error occurs, messages cannot be correctly received. However, the mail slot provides simplified programming interfaces and the ability to broadcast messages to all computers in the specified network area. Therefore, the mail slot is a good choice for applications to send and receive messages.

In-depth analysis

Almost the moment I saw this sample, a string came into my mind:

\\.\mailslot\LogCC。

In most POS variants, one process is used to read the memory of other processes, and then the detected trace data is written into the log. Because LogPOS injects code into various processes and then searches for the memory of each process, logs cannot be used at this time because they cannot open the same file in write access mode at the same time. Therefore, LogPOS uses the mail slot.

Using a mail slot for communication or storage is not a new mechanism for malware. In a report by FireEye on APT28, it mentioned that the Organization used the mail slot "check_mes_v5555 ". The mail slot is an IPC mechanism that allows multiple clients to send messages to the server. In the sample analyzed in this article, the main program creates a mail slot and acts as a mail slot server, while the code injected into each process serves as the client, they write the obtained credit card numbers into the mail slot and then transmit them directly to C2 through the mail slot.

 

At the beginning of program execution, the program calls the CreateMailslotA function with the mail slot name \ mailslot \ LogCC as the parameter.

If the mail slot fails to be created, the program will exit. Otherwise, the program will enter an infinite loop and execute the following functions in order:

1. Sleep for 500 milliseconds 2. Traverse Process (1) compare with whitelist (2) inject shellcode into process (if not in the whitelist) (3) scanning credit card tracking information (4) using Luhn Algorithm for verification 3. Reading the mail slot 4. Sending data

The most interesting thing is the injected code, so we will analyze it in more detail.

During process traversal (as described above), malware compares the process name with the whitelist. The whitelist mainly includes the following names:

Using System

The code for comparing strings is as follows:

 

Once a process name is found not in the whitelist, the code is injected into the memory space of the process using the WriteProcessMemory function. The first thing Shellcode does is to find the basic address of kernel32 and use it to create the import module. The Method for Finding kernel32 has been summarized in detail in many blogs.

Once the base address is found, shellcode begins to rebuild the entry through its own hashing technology. The following lists hash and corresponding values.

After the entry is created, the malware calls the CreateFileA function with the file name \. \ mailslot \ LogCC as the parameter to obtain a file handle for write operations.

When scanning memory, malware uses a custom search algorithm to find common traces.

 

Then, the information is passed to the implemented Luhn Algorithm for verification. Once this information is valid, it will be sent to the mail slot for later reading by the main program. When a number is added in sequence, malware creates a formatted string and sends the information to the remote site.

 

The data is then sent to the remote site (via the http get method ).

The content received by the site is stored in a form (the content of the form is not encrypted when the text is written ). Most of the numbers in the form are in the rdpclip and notepad process spaces, so we guess the malware author may be testing their code. Shows the corresponding content and related IP information.

Detection Method

Because LogPOS does not scan files to obtain unencrypted credit card information, but uses the mail slot method, it can avoid the traditional detection mechanism. However, if a tool like yara is used, various variants of the malware can be easily detected. The following rules will help you find this malicious tool on the Internet.

rule LogPOS  {    meta:          author = "Morphick Security"         description = "Detects Versions of LogPOS"         md5 = "af13e7583ed1b27c4ae219e344a37e2b"     strings:          $mailslot = "\\\\.\\mailslot\\LogCC"         $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="         //64A130000000      mov eax, dword ptr fs:[0x30]          //8B400C        mov eax, dword ptr [eax + 0xc]          //8B401C        mov eax, dword ptr [eax + 0x1c]          //8B4008        mov eax, dword ptr [eax + 8]          $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }      condition:          $sc and 1 of ($mailslot,$get)  } 

 

In addition to yara, This POS malware can also be detected through its URI mode. The following signature will be able to detect the malware from the network.

signature LogPOS {        #source: Morphick Security      #version: 1      #Ref: af13e7583ed1b27c4ae219e344a37e2b      ip-proto == tcp      dst-port == 80,443      http-request /.*encoding\=.*\&t\=.*\&cc\=.*\&process\=.*\&track\=/      event "LogPOS Credit Card GET Request Pattern"      } 

Conclusion

In recent years, POS malware has attracted attention in many aspects. Trend Micro recently reported that more POS malware variants were found in the past six months than in the past few years.

For example, early this year, Josh Grunzweig discovered a new Alina variant named "eagle" and Trustwave recorded another new version called Spark ). However, with this happening, the discovery process of new families such as Getmypass, LusyPOS, darededevil, NewPOSThings, and Backoff has just begun.