Two New PoS Malware Affecting US SMBs
Following the seemingly quiet state of point-of-sale (PoS) malware these past few months, we are now faced with two new PoS malware named Katrina and CenterPoS now available to cybercriminals.
In our 2Q Security Roundup released in August, we reported new PoS malware discoveries, namely FighterPoS in April, MalumPoS in June, and GamaPoS a month after. Despite these findings, we noticed a slight decline in the PoS malware detections possibly due to the threat reaching its saturation point. But with the emergence of new PoS malware this September, the threat to PoS systems are from over.
Katrina
Katrina is believed to be advertised as the latest version of the popular PoS malware Alina (detected as ALINA), Katrina was first spotted in underground forums in June 2015.
Figure 1. Katrina v1.2 is being offered in forums
Upon closer observation we found that Katrina is just an incremental update to Alina. Our findings below show that there are no new functionalities, with only minor modifications done to User-Agent and differences in the skipped processes.
Detail | Alina | Katrina |
User-Agent | Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) |
Names | dwm.exe win-firewall.exe adobeflash.exe desktop.exe jucheck.exe jusched.exe java.exe |
dwm.exe.exe win-firewall.exe adobeflash.exe desktop.exe jucheck.exe jusched.exe java.exetesting.exe userinit.exe windefender.exe svchost.exe |
Skipped Process | AKW.exe QML.exe spoolsv.exe taskmgr.exe wscntfy.exe alg.exe winlogon.exe lsass.exe dllhost.exe pidgin.exe skype.exe thunderbird.exe devenv.exe steam.exe wininit.exe smss.exe iexplore.exe firefox.exe chrome.exe |
AKW.exe QML.exe spoolsv.exe taskmgr.exe wscntfy.exe alg.exe winlogon.exe lsass.exe dllhost.exe services.exe pidgin.exe skype.exe thunderbird.exe devenv.exe steam.exe wininit.exe smss.exe iexplore.exe firefox.exe chrome.exeexplorer.exe crss.exe |
Commands | cardinterval= chk= diag dlex= log=0 log=1 update update= updateinterval= |
cardinterval= chk= diag dlex= log=0 log=1 update update= updateinterval= |
Decode Key | 0xAA | 0xAA |
During the course of investigation, we’ve seen two panels used by Katrina operators to control their bot.
Figure 2. Panels used by Katrina operators (click image to enlarge)
So far, we’ve only seen 2 Katrina panels/C&Cs, and two unique Katrina malware in the wild detected as BKDR_ALINA.POSKAT. The SHA1 of these two malware are
- f6f1fb61761b24a882af40547aabcb2cd1923f91
- 1a07b2dbb5252a1463e794a59f1763e91c4ab87b
An interesting point in this investigation is that the Katrina C&C issued an update command to install a NewPoSThings malware downloaded from the IP address {BLOCKED}.{BLOCKED}.178.109. We wrote about NewPoSThings in April this year.
This IP is interesting because we’ve seen it host several files which are listed below.
File | Description |
32.exe | POSNEWT (NewPoSThings 32-bit version) |
64.exe | POSNEWT (NewPoSThings 64-bit version) |
315.exe | Alina (Spark variant) |
315c.exe | Alina (Spark variant) |
dux.exe | BlackPos (Kaptoxa) |
joker1.exe | Alina (Joker variant) |
Kill.bat | Terminates process, services, disable registries and delete files related to antivirus products |
Setup.bat | Executes 32.exe or 64.exe silently and will automatically reboot if required. |
ClearEventN.bat | Clear log events from Application, Security, Setup and System |
recon.exe | Cardholder Data Discovery Tool (legitimate file; scans files on server, workstation, storage devices for credit card data). |
kron.exe | Backdoor |
CenterPoint.exe | A new POS Malware we’ll be calling CenterPoS, detected as BKDR_CENTERPOS.A |
X.bat | Batch file that downloads CenterPoint.exe. Detected as BAT_XPTDL.A |
CenterPoS
CenterPoS is a new PoS malware we found in the IP {BLOCKED}.{BLOCKED}.178.109, where Katrina is hosted. A batch file found in the same site, X.bat, or BAT_XPTDL.A, downloads CenterPoint.exe (detected as BKDR_CENTERPOS.A) from hxxps://www.dropbox.com/s/{BLOCKED}4isxow5h9ei/CenterPoint.exe. The batch file looks for InstallUtil.exe in the following directories in order and installs CenterPoint.exe in the first directory found.
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\
- C:\Windows\Microsoft.NET\Framework\v3.0\
- C:\Windows\Microsoft.NET\Framework\v3.5\
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\
CenterPoS uses a constant and special UserAgent, making it easy to detect from network traffic: Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0.
At first glance, CenterPoS bears a striking resemblance to GamaPoS since it is written in Microsoft.Net and lacks Luhn inspection. After careful inspection, however, we found that CenterPoS had more similarities with Alina instead, borrowing from Alina’s file names and process exception list.
CenterPoS accepts the following commands:
[/200/], [/401/] = uninstall itself
[i] [/i], [k] [/k] = stop C&C communication
Stolen information is immediately sent to its C&C server, hxxp://jackkk.com/2kj1h43.php. The information includes:
- OS Version
- Computer name
- Malware version: 1.7
- Local host name
- Victim GUID (MD5 encoded sting combination of Processor ID, Mac Address, Serial number)
- Card track data
- List of scanned processes
Victim Breakdown and Attack Information
Based on files hosted in {BLOCKED}.{BLOCKED}.178.109, there are two versions of Alina (Spark and Joker), a 32-bit and 64-bit version NewPoSThings, BlackPoS (which was used in the Target breach), the two new POS malware (Katrina and CenterPOS), and a legitimate credit card scraper tool called Cardholder Data Discovery as part of the hosted files. This suggests the IP {BLOCKED}.{BLOCKED}.178.109 is the cybercriminal’s toolbox, in which the attacker is able to download and install the appropriate PoS malware tool to the victim’s machine.
The presence of the Cardholder Data Discovery tool also allows the attacker to scan for credit card data across the victim’s network, effectively making the machine that was initially infected a pivot point for further data exfiltration within the victim’s network.
The presence of batch files reveals the attacker’s modus operandi. These batch files can be used to carry out the following routines, which suggests an attack workflow toward corporate networks:
- Lower the security profile of the target machine (bat)
- Install NewPoSThings (bat)
- Remove traces of infection (bat)
A quick look at the victims of this particular attack reveals the attacker is targeting small and medium-sized businesses (SMBs) in the United States. So far, we’ve seen around 87 SMBs fall victim to this attack, with 77% of the victims originating from the US. Taiwan is the second most affected country with 5%, followed by Brazil and Australia, both with 3%.
This is a fairly new campaign, with the oldest victim being compromised around August 25, 2015. Most of the victims were compromised first with the Katrina PoS malware, but sometime between September 10-15, the attacker shifting the installed malware from Katrina to NewPoSThings, or from CenterPOS to Katrina.
Recommendations and Solutions
Trend Micro already detects this threat blocks all the listed C&Cs. Systems can also greatly benefit from these security measures:
- Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
- If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
- Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.
Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement.
Our blog entry titled NewPosThings Has New PoS Things contains the IP address and port, as well as the YARA rule that the Trend Micro Deep Discovery Endpoint Sensor can employ for endpoint monitoring and validation for possibly active infections.
Investigation by Joey Costoya, Philippe Lin and Ryan Flores; Malware analysis by Homer Pacag, Rhena Inocencio and Anthony Melgarejo.
Read more: Two New PoS Malware Affecting US SMBs