Signed PoS Malware Used In Pre-Holiday Attacks, Linked to Targeted Attacks

Last year, we detected some new PoS malware just before the holiday season.  At that time, we omitted mentioning one fact – that the file was digitally signed with a valid certificate. Our research shows that these attacks targeting PoS malware are growing in sophistication, with code signing and improved encryption becoming more commonplace. We were also able to connect this PoS malware to the group involved with the Anunak malware—which is related to the Carbanak gang as posted by our colleagues over at Fox-IT.

Figure 1. Sample with valid digital signature (taken on November 27, 2014)

Malware code signing has increased in recent years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software. In this case, the attackers went through the whole process of requesting a digital certificate to sign the binary from a known certificate authority. COMODO, the issuer of this certificate, has since revoked the signing certificate.

With this in mind, we began searching for additional components of this binary. This blog entry adds context to our our original blog post published last year.

Carefully crafted binaries

Based on other PoS malware that we have observed, we knew that this should be a multicomponent malware. As such, over the next couple of months after this incident, we have been monitoring this threat – one that caught our interest was a file with the SHA1 hash d8e79a7d21a138bc02ec99cfb9dc59e2e0cedf09. We noted some important things about this particular file:

  1. First, the file itself was signed similarly: used the same name, email and certificate authority.
  2. Secondly, the file construction was just too careful for standard malware that we see on a daily basis.

Analysis of the file showed that it has its own encryption method that cannot be identified by common tools and it only decrypts the necessary code, which is destroyed after being used. Another interesting thing is that the GetProcAddress API was used (which is almost abandoned nowadays). It uses a brute force way to search the PE header table and calls NT* functions.

During installation, the .text section is reused by the unpack code and installation, as seen below:

Figure 2. Section reuse

It then starts the host process svchost.exe with the parameters -k netsvc, with a suspended status. Once done, it proceeds to prepare a decrypted PE image file which can be written into memory. If everything is ready, it calls the NT* function to write the PE image into the host’s process memory, set  the thread context and resume the thread. Finally, the PE image in memory is destroyed immediately.

Figure 3. CreateProcess with suspended creation state

Figure 4. Decrypted PE image file in memory

While the PE image loaded in memory can be dumped to file, the string and API calls are still protected and it’s not straight forward to decipher. A decoder table was necessary to understand the inner working of the file, as shown below:

Figure 5. Decoder table

Using homemade decryption tools, the following functionality was discovered:

  1. Two fixed C&C Servers: (ports 80 and 443), and (port 443)
  2. Searching for the NSB Retail System Logs at C:\NSB\Coalition\Logs and nsb.pos.client.log
  3. Searching of files with the following extensions:
    • bml
    • cgi
    • gif
    • htm
    • html
    • jpg
    • php
    • png
    • pst
    • shtml
    • txt
  4. The use of VNC and Remote Desktop
  5. Modifying the settings of the Windows firewall to give itself network access
  6. Database connectivity
  7. Reference to mimikatz – a tool to recover clear text passwords from LSASS
  8. Encryption and decryption routines
  9. Keylogging functionality

Targeting the Top PoS Vendor: Epicor

This was not your run-of-the-mill malware. It was a point-of-sale (PoS) malware that expliclty targeted the Epicor/NSB PoS system. Epicor was recently recognized as the top vendor of PoS software and leader in number of accounts and revenue over other top PoS vendors.

A second look at the binary indicates that this particular file is related to the CARBERP banking family of Trojans, whose source code was leaked around 2013. In particular, this file had the following CARBERP plugins:

  • plug and vnc.plug – VNC Plugin
  • plug – iFOBS remote banking system
  • plug – Ammy Remote Desktop Plugin

We went back and cross-referenced other files to look for other complex malware samples that could be linked to this particular sample. We came across another one (SHA1 hash: a0527db046665ee43205f963dd40c455219beddd) which shared almost similar complexity. Some of the significant characteristics are listed below:

  1. Drops a file called ms*.exe and creates a startup item under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run key.

    Figure 6. Created registry entry

    Aside from this, it changes the Zone.Identifier alternate data stream to avoid the pop-up warning:

    Figure 7. Alternate data stream

  2. It attempts to acquire elevated privileges via SeRestorePrivilege, SeBackUpPrivilege, and SeDebugPrivilege. Privileges like these allows the caller all access to the process, including the ability to call TerminateProcess(), CreateRemoteThread(), and other potentially dangerous API calls on the target process.
  3. It also has anti-debugging functions, and has its own dynamic unpacking code:
    1. Unpack code into .txt and jump back
    2. Allocate a block memory in 0x7FF90000 (almost reach user mode limitation)
    3. Unpack code into 0x7FF90000 and jump to here
  4. C&C server communication

Using feedback provided by our Smart Protection Network, we looked for other threats that were similar to these two samples.

A quick evolution

We saw a file that was similar to the above files located in C:\Windows\SysWOW64 (for Windows 64-bit) and C:\Windows\System32 (for Windows 32-bit). The difference, however, was that it was for a DLL file (SHA1 hash: CCAD1C5037CE2A7A39F4B571FC10BE213249E611).

Careful analysis revealed that, although compiled as a DLL file, it just uses the same cipher as the earlier samples. However, here a different C&C server was used ( This change may have been an attempt to evade analysis, as some automated analysis tools do not process DLLs since they cannot be directly executed.

Figure 8. Decoder table

These indicators show that these file(s) were the work of a fairly sophisticated group of attackers.

Who’s responsible for this?

As it turns out, we can attribute this to the European APT group that uses Anunak malware, which was previously reported by Group-IB and Fox-IT.

Our research leads us to believe that the files listed below could be used in similar campaigns within the United States and Canada:

Table 1. List of hashes and detection names (click to enlarge)

Table 2. List of hashes and C&C servers (click to enlarge)

It should be noted that there are two files listed here (5fa2a0639897a42932272d0f0be2ab456d99a402 and CCAD1C5037CE2A7A39F4B571FC10BE213249E611) have fake compile time dates, which is a visible attempt to mask the file’s validity.

According to the certificate revocation list, the certificates used to sign these malicious files were revoked on August 05, 2014.

Figure 9. Certificate Revocation List

However, the files were still signed with the certificates beyond that date. Here is the list of the files with digital certificates, and their signing time:

Table 3. Time and date of malware signing


Trend Micro already detects all files listed above, where applicable. We would also like to recommend these steps in order to catch these kinds of attacks earlier:

  • Audit accounts for failed/irregular logins. As seen by one of the tools used in this campaign, a password/credential dumper was used. If a user account was suddenly seen accessing a resource that looked unusual, then this may be a sign.
  • Audit network log for abnormal connections. A network scanner was also used in this campaign, which can be used to enumerate a host’s resources. A passive network scanner, which observes anomalies in network traffic, can be used to flag these events and is often a built-in functionality of a breach detection system.
  • Study warnings from security solutions. If you see a combination of hacking tools, backdoors and Trojans on a particular host, it may be efficient to acquaint oneself if these detections should be of an immediate concern – or not. In today’s world where there are just a lot of malware being seen in a daily basis, it is important to note which malware could severely affect your business.

For a full list of things to check, you can refer to 7 Places to Check for Signs of a Targeted Attack in Your Network.

To learn more about PoS RAM scraper malware, you can refer to our previous research paper titled PoS RAM Scraper Malware: Past, Present and Future.

Additional information and analysis by Abraham Camba, Jane Hsieh, and Kenney Lu.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Signed PoS Malware Used In Pre-Holiday Attacks, Linked to Targeted Attacks

Read more: Signed PoS Malware Used In Pre-Holiday Attacks, Linked to Targeted Attacks

Incoming search terms

Story added 16. February 2015, content source with full text you can find at link above.