A Peek Inside a PoS Scammer’s Toolbox

PoS malware has been receiving a tremendous amount of attention in the past two years with high profile incidents like Target, Home Depot, and Kmart. With the massive “Black Friday” shopping season coming up, PoS malware will surely get additional publicity. This high profile nature means, we constantly look for evolving PoS malware and look into their behavior patterns to better protect our customers and users.

In order to be successful, PoS scammers don’t rely only on their malware to attack and exfiltrate victim data. They also use a wide variety of tools in order to support their endeavors. Some of these tools are also used by system administrators such as putty, as well as other tools provided by Microsoft as part of the Sysinternals suite.

Looking at the additional tools PoS threat actors use can be interesting because we can get a preview into their daily activities and use this to profile their activities.

PoS Terminal Insecurities

Unfortunately, PoS terminals and environments are very often left insecure. This makes them an excellent target of opportunity for attackers. There are a variety of methods used when attackers go after PoS terminals. One way attackers look to gain access to PoS devices is via VNC (Virtual Network Computing). Typically, credentials are either non-existent or very insecure. This presents many opportunities for attackers to use tools to attack VNC credentials.

Microsoft’s Remote Desktop Protocol presents an additional weak point in PoS environments. Unfortunately, the same weaknesses often found in VNC sessions are also found in RDP configurations. Weak and/or nonexistent credentials is common within PoS terminals using RDP. This also presents many opportunities for attackers to leverage tools to attack RDP sessions.

BackOff Actor Toolkits

Earlier this year, Trend Micro published a paper detailing many different PoS RAM scrapers, including BackOff. Backoff became popular and widely used starting in July of 2014 because it’s custom-packed to obfuscate its code and make it difficult for security researchers to reverse-engineer its binaries.

BackOff will almost always, in some way, communicate to a command-and-control (CYC) server to exfiltrate data or receive configuration updates. In addition to receiving commands and exfiltrating data, these same server’s are often used to transfer tools to and from victim machines. This helps the attacker easily and quickly get tasks done while drawing the least amount of attention by reducing the amount of work the attacker has to do to transfer these tools to multiple victims.

When looking at BackOff variants, one particular sample drew our attention – r0.exe. Upon examination, we found that this sample connects to http://143biz.cc.md-14.webhostbox.net. The infection vector is not known

The particular C&C server contained a wealth of information about what tools the attackers are using, as well as how they stored their data. We noticed that there were a litany of other tools that the attackers were using. Typically, these tools are used in conjunction with or after a compromised machine has been infected.

The server contained on the server multiple files, including ZIP files, which are broken down further below. This is not an all-inclusive list of all files on the server, but is meant to showcase the tools and capabilities of these actors.

r0.exe (MD5 hash: 7a5580ddf2eb2fc4f4a0ea28c40f0da9) – This file is a BackOff sample that was compiled on October 22, 2014. The file communicates to the following URLs for its C&C functions:

https://cyberwise.biz/register/register.php
https://verified-deal.com/register/register.php

r0.exe also creates a known BackOff mute, aMD6qt7lWb1N3TNBSe4N)

3-2.exe (MD5 hash: 0fb00a8ad217abe9d92a1faa397842dc) – This file is also a BackOff sample which was compiled approximately a month earlier than r0.exe (it was compiled on September 16, 2014). This file communicates to:

https://kitchentools.ru/phpbb/showtopic.php
https://cyclingtools.ru/phpbb/showtopic.php
https://biketools.ru/phpbb/showtopic.php

DK Brute priv8.rar (MD5 hash: 028c9a1619f96dbfd29ca64199f4acde) – This RAR file contains multiple tools and files. One of these files is putty.exe, an SSH/telnet client. Also included was UltraVNCViewerPortable.exe, and WinSCP. Both of these tools make sense to include in a scammer’s toolkit, as they can be used because to connect to remote systems and transfer files.

DK Brute.exe is also included; this is a tool used to brute force Windows RDP and other remote connection protocols, using a password list.

IPCity.rar (MD5 hash: 9223e3472e8ff9ddfa0d0dbad573d530) – This RAR file contains three files. One is a .CSV file (GeoLiteCity.csv) which is used to map latitude/longitude coordinates to countries. This file appears to have been offered earlier as a free download from Maxmind, which provides databases to map physical locations to IP blocks. A tool called ip_city.exe was also in the file, which is used to convert

Contained within IPCity.rar, there are three files. One .csv file, GeoLiteCity.csv, contains country to latitude and longitude coordinate specifications. GeoLiteCity.csv appears to be an older free download from Maxminds DB, which provides access to a multitude of databases to map location to IP blocks.

A tool called ip_city.exe was in the .RAR file as well. This tool is used to convert city and country locations to IP blocks. Taken collectively, these tools can be used by an attacker to better scan and target particular countries and IP blocks.

Figure 1. Screenshot of ip_city.exe

VUBrute 1.0.zip (MD5 hash: 01d12f4f2f0d3019756d83e94e3b564b) – This password-protected ZIP file contains a a VNC brute forcer, VUBrute. This tool is popular in Russian underground forums and is used to compromise VNC credentials.

Figure 2. Screenshot of VUBrute

logmein_checker.rar (MD5 hash: 5843ae35bdeb4ca577054936c5c3944e) – This RAR file contains an application called Logmein Checker. LogMeIn is a popular commercial remote access tool. This application takes an account list (list of username/password combinations) and runs it though a list of IP addresses/ports. This is used to find valid LogMeIn sessions using weak credentials.

Figure 3. Logmein Checker UI

The attackers are likely using this to attack either PoS machines with weak LogMeIn credentials, or other machines on networks that also contain PoS devices.

portscan.rar (MD5 hash: 8b5436ca6e520d6942087bb38e97da65) – This file contains a file named KPortScan3.exe, which is a basic port scanner. It allows IP ranges and port numbers to be entered. Based on data obtained from the C&C server, we believe this tool was used to scan ports 445, 3389, 5900, as well as other ports. It’s likely this tool was chosen because of its ease of use and the likelihood that a port scanner would be run in Windows.

Figure 4. Port scanner UI

C&C Infrastructure Analysis and Relationship Building

After looking closer at the C&C server, we pivoted and found additional files that are and have been hosted on it. In total, there have been over 9 unique samples of malware hosted on http://143biz.cc.md-14.webhostbox.net, dating back to February of 2014. This includes PoS malware, including Alina, a popular PoS RAM scraper.

We also found an additional directory on this server: http://143biz.cc.md-14.webhostbox.net/something/login.php?p=Rome0. The name Rome0 may look familiar to those of you who Xyiltol and the Trackingcybercrime blog.

While accessing this directory doesn’t generate a response, we continued to check for sites that had /something/login.php?p=Rome0 as part of the URL. When doing this, we found another site: https://blog.-wordpress-catalog.com/something/login.php?p=Rome0. Looking closer at the relationship between 143.biz.cc.md-14.webhostbox.net and wordpress-catalog.com, we saw that there was an open directory on the C&C server: http://143biz.cc.md-14.webhostbox.net/accounts.wordpress-catalog.com. These URLs don’t return any results either.

When we looked at the root directory, however, we found a Zip file named something.zip (MD5 hash: f9cbd1c3c48c873f3bff8c957ae280c7). This file contained what appeared to be the code for the C&C server, as well as several text documents containing names and credit card track data.

Figure 5. Server root directory contents

While we don’t know if the same French criminal Rome0 owns or operates these two servers for PoS operations, we do know that both servers have used Rome0 in their URL. We also noticed in one of the text files a directory named /home/rome0/
public_html/something/bot.php, presumably showing the user’s internal directory for hosting files. In addition, we know that Rome0 is heavily involved in PoS malware and carding, based on Xyiltol’s excellent investigative work.?

Conclusion

While we didn’t showcase many new tools in this post, it is an interesting case study as to some of the tools that PoS scammers use. This list isn’t exhaustive, but it shows that the attackers using these tools are not relatively advanced. They use what works, without reinventing the wheel and developing new programs.

Information about these tools is useful in order for administrators in order to help protect PoS systems on a regular basis.

In addition to the malicious files listed above, here is a list of all the URLs we looked into for this post: