New GamaPoS Malware Piggybacks on Andromeda Botnet; Spreads in 13 US States
We discovered GamaPoS, a new breed of point-of-sale (PoS) threat currently spreading across the United States and Canada through the Andromeda botnet. GamaPoS is the latest in a long list of threats that scrape off credit card data from PoS systems. Compared to its predecessors, GamaPoS uses malware coded using the .NET framework—a first in PoS threats.
The GamaPoS threat uses a “shotgun” or “dynamite fishing” approach to get to targets, even unintended ones. This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPOS may have only hit 3.8% of those affected by Andromeda.
Based on our initial scans, we noted that GamaPoS has affected a number of organizations spread across the 14 locations in North America, 13 of which are US states.
- New York
- South Carolina
- Vancouver, Canada
Businesses that use Visa, Discovery, and Maestro (among other credit and debit cards) risk losing their customers’ data to GamaPoS.
GamaPoS in Focus
The GamaPoS infection starts when victims access malicious emails that contain attachments such as macro-based malware or links to compromised websites hosting exploit kit content. This kind of modus operandi is similar to past Andromeda revivals.
Once converted into Andromeda bots, the affected machines can now be manipulated via a control panel, letting cybercriminals perform different commands. Attackers use copies of the tools Mimikatz and PsExec to gain control. However, it is only on certain instances that GamaPoS would be installed.
Figure 1. Andromeda to GamaPoS infection chain
Both PsExec and Mimikatz are popular tools in targeted attacks. PsExec has been used in the Target breach to kill processes and move files. It is a legitimate whitelisted tool that attackers can use to remotely control and perform diagnostics on systems. On the other hand, Mimikatz is a publicly known tool, inserted in other tools, which attackers typically modify. It can be considered one of the best tools to gather credentials from a Windows system. Having both PsExec and Mimikatz in the GamaPoS infection chain enables attackers to laterally move inside target networks at a great degree.
Some other notable findings on GamaPoS are as follows:
- GamaPoS has specific targets in several industries worldwide.
It is important to note that though the US experiences the brunt of the infections, other organizations in other countries are also affected. Below are some of the specific establishments victimized by GamaPoS:
- Pet care
- Furniture wholesale
- Home health care
- Online Market stores
- Consumer Electronics Company
- Records Storage Facility
- Employment Agency and professional services
- Credit union
- Software developer for insurance
- Software developer for telecoms
- Industrial supply distributor
- Attackers use compliance documents and MICROS updates as lures. They entice their victims to download malicious files either by making them believe that they would be assisting them in Payment Card Industry Data Security Standard (PCI DSS) compliance or help update their Oracle® MICROS® platform. The recently discovered MalumPoS threat is also known to target systems running on MICROS.
- GamaPoS holds the distinction of being a .NET scraper—something unseen in prior PoS threats.
We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications. This makes .NET a viable platform to use for attacks.
When loading, GamaPoS evaluates a list of URLs to see which command-and-control (or control panel) is up and running. The communication is done in HTTPS and, once a good panel has been selected, it would continue execution. There are no process exemptions and GamaPoS goes through all processes and dumps Track 2 data.
- GamaPoS targets a range of cards, including Visa and Discover.
While the evaluated example does not do Luhn validation, GamaPoS does manually filter the data by evaluating the first few numbers of the scraped data.
- 4 (length=12) – Visa
- 56 to 59 (length=14) – Maestro and other ATM/debit cards
- 6011 (length=12) – Discover Card
- 65 (length=14) – Discover
- Finally, it would attempt to upload the collected data via the command-and-control server that has been selected during initial execution.
- GamaPoS is closely linked to NitlovePOS, a new malware reported externally.
Similarities between the two campaigns are no coincidences. Both are spread using a spam campaign that uses macro malware, and the initial stages of both campaigns are hosted in the same IP block.
The Return of Andromeda
Andromeda is a well-known botnet that surfaced around 2011. It’s notorious for delivering threats like Gamarue. Cybercriminals use Andromeda for its wide reach, letting them gain control of endpoints, effectively turning them into bots or zombies. The highly configurable and modular design of the Andromeda botnet has been noted to fit any malicious intent, like distributing ZeuS or, more recently, distributing a Lethic bot.
Earlier this year, the Andromeda botnet was seen spreading macro-based malware—an old cybercriminal trick that has lately been regaining traction. Based on our research, the past few months seem to be quite busy for the Andromeda botnet. Its recent activity reveals its heavy presence in the United States.
Andromeda is delivered to desktops either through spammed emails or exploit kit content. Both methods inevitably lead to the download of Andromeda binaries onto the computer. We found that there are a total of 9 domains used in this campaign. All of which are hosted in one IP address. Globally, with 85% of the share, the United States is the top source of traffic going to this IP address. It is distantly followed by Canada with 2%.
Figure 2. Global distribution of Andromeda-related traffic, [insert duration]
Using an old botnet as a shotgun method to cast a wide net for targets has its merits. Using spam and exploit kits to establish a large mass of bots enables operators to steal information from specific targets, some of which can be resold to other threat actors.
Another interesting move here was the deployment of PSEXEC and MIMIKATZ – two tools widely used in targeted attacks. More information about the stages of this threat and specific indicators can be found in the GamaPoS technical brief.
Note that this threat combines a classic botnet with a PoS RAM scraper, thus requiring more sophisticated methods of protection. To deal with exploit kits and botnets like Andromeda, IT managers need to stay updated on patches for vulnerabilities exploited by these kits.
Trend Micro is monitoring this ongoing activity. To read up on how to enhance your security posture on your point-of-sale systems, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.
To prevent threats from coming in via malicious emails, enforce strong security policies that work according to how your company uses email so as to prevent threats like macro-malware pass through. Effective spam filters that evaluate if attachments have malicious intent work best against these threats. Email attachment analysis in the Trend Micro™ Custom Defense™ technology has been proven to detect and help protect companies from targeted PoS threats that uses email as its arrival vector.
Additional malware analysis by Erika Mendoza and Marvin Cruz; additional information from Joseph C Chen, Maydalene Salvador and Numaan Huq.