Secrets: malware toolbox for poser

Secrets: malware toolbox for poser

In the last two years, PoS malware has been widely used due to PoS attacks against Tajikistan, jard.com, and Kmart. With the arrival of the "Black Friday" shopping season, malicious software on the POS machine will certainly be noticed.

PoS attackers do not rely solely on their own malware to attack and steal victim data. They will also use a large number of other tools to achieve their goals. Some are also used by system administrators, such as putty, and some are software in the Sysinternals Suite Toolkit provided by Microsoft.

These tools are used by hackers to better understand their situation.

Most PoS terminals are insecure.

Unfortunately, the PoS terminal and the PoS environment are basically insecure. This provides an excellent opportunity for attackers. Hackers attack PoS terminals in a variety of ways, one of which is through VNC (Virtual Network Computing, Virtual Network Computing ).

In general, the POS machine either requires no user name or password, or uses a weak password. This gives hackers an excellent opportunity.

Microsoft's Remote Desktop Protocol (RDP) is also a tool that is easily exploited by hackers in the PoS environment. Like VNC, RDP configuration basically requires no password or weak password.

BackOff Toolkit

At the beginning of this year, Trend Micro released a report detailing various malware against PoS, including the famous BackOff. In July 2014, BackOff became popular and widely used, mainly because it can customize packaging to confuse Code, making it difficult for researchers to reverse their code.

BackOff always transmits the obtained data with command-and-control, C & C, or receives Configuration updates. In addition, these servers are used with the intruded device transmission tool software. When attackers want to attack multiple devices, they will use these servers to transmit malware to PoS to reduce the workload.

During the study of BackOff, a special sample caught our attention-r0.exe. We found this sample connected to the http://143biz.cc.md-14.webhostbox.net. The C & C server contains a large amount of information, including the tools used by attackers and how they store data. We have noticed that attackers will use a series of tools after they intrude into the poser.

The server contains multiple files, which will be described below. This is not a complete list of server files, but it is sufficient to explain some situations.

R0.exe (MD5 check value: 7a5580ddf2eb2fc4f4a0ea28c40f0da9 ):

A BackOff sample, compiled on January 1, October 22, 2014. The program connects to the following two C & C servers:

https://cyberwise.biz/register/register.php https://verified-deal.com/register/register.php

R0.exe also creates the mutex aMD6qt7lWb1N3TNBSe4N.

3-2.exe (MD5 check value: 0fb00a8ad217abe9d92a1faa424842dc ):

One copy of backoffsample, compiled on October 22, 2014, slightly earlier than r0.exe. The program connects to the following servers:

https://kitchentools.ru/phpbb/showtopic.php https://cyclingtools.ru/phpbb/showtopic.php https://biketools.ru/phpbb/showtopic.php

DK Brute priv8.rar (MD5 check value: 028c9a1619f96dbfd29ca64199f4acde ):

 

This package contains multiple tools and files, including SSH/telnetclient putty.exe. There are also ultravncviewerportable.exe and WinSCP, which are used to connect to a remote system and transmit files.

 

The package also contains DK Brute.exe, which is a tool that calls dictionaries to crack Windows RDP and other remote connection protocols.

IPCity.rar (MD5 check value: 9223e%2e8ff9ddfa0d0dbad573d530 ):

This compression contains three files, including GeoLiteCity.csv, used to mark countries. This file seems to have been downloaded from Maxmind. Maxmind is a company that provides IP address and geographic latitude and longitude query databases.

The package also has an ip_city.exe. This software can be used to convert countries/cities into IP segments.

VUBrute 1.0.zip (MD5 verification code: 01d12f4f2f0d3019756d83e94e3b564b ):

This is a password-protected ZIP file, which contains a VNC brute-force tool named VUBrute. This tool is very popular in Russian underground forums.

Logmein_checker.rar (MD5 check value: 5843ae35bdeb4ca577054936c5c3944e ):

The package contains the Logmein Checker software. LogMeIn is a popular Remote Access software. The software contains a user name/password list and an IP/port list for detecting LogMeIn with weak passwords.

Portscan.rar (MD5 verification code: 8b5436ca6e520d6942087bb38e97da65)-includes kportscan3.exe, which is a basic port scanner. The software can specify the IP segment and port number. According to the information on the C & C server, hackers use this tool to scan ports 445,338, 5900, and so on. Hackers may choose this software because it is easy to use.

C & C Server Analysis

By looking further at the C & C (command and control) server, we found more files in the http://143biz.cc.md-14.webhostbox.net with a total of 5 different malicious virus samples, the longest samples can be traced back to February 2014. The samples also contain PoS malware such as Alina.

 

We also found a directory on the server: http://143biz.cc.md-14.webhostbox.net/something/login.php? P = Rome0

 

We didn't receive a response when accessing this directory, So we began to look for a website that contains fields/something/login. php? The URL of p = Rome0. We did find another URL: https://blog.-wordpress-catalog.com/something/login.php? P = Rome0.

Looking at the connection between 143.biz.cc.md-14.webhostbox.net and the wordpress-catalog.com, we found a directory on the C & C server: http://143biz.cc.md-14.webhostbox.net/accounts.wordpress-catalog.com. But there was no response to access these addresses.

However, in the root directory, we found a compressed file named something.zip (MD5 checksum: f9cbd1c3c48c873f3bff8c957ae280c7. This file contains the code on the C & C server, and some text documents containing the user name and credit card information.

Summary

Although we did not show new tools in this post, it is very interesting to study the tools used by hackers.

The software we listed is not comprehensive, but it at least shows that the tools used by hackers are not very advanced. They did not duplicate the wheel and did not develop new tools, it is enough to use these tools.

We believe this information will be helpful for administrators to prevent PoS attacks.