Angler Exploit Kit Used to Find and Infect PoS Systems

An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.

Looking into its infection chain, we found that part of its reconnaissance involves searching for data related to specific websites and companies. One example would be Verifone, a company that offers solutions for electronic payments and PoS transactions. Based on the infection chain, we also believe that this attack is targeting web-based terminals.

This finding suggests that attackers are now looking for ways to deploy PoS malware on a wider scale. Just recently, we discovered a PoS threat that piggybacks on the established Andromeda botnet to reach PoS systems.

Arrival vector

The Angler Exploit Kit often uses malvertisements and compromised sites as the starting point for infection. For this specific incident, we found that the infection chain takes advantage of two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). After exploiting either vulnerabilities, the Trojan, detected as TROJ_RECOLOAD.A, finds its way to the system.

One detail that bears stressing is the use of fileless installation for this malware. Fileless installation involves installing the malware n locations that are difficult to scan or detect. The malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive.

Anti-analysis techniques

By definition, reconnaissance requires stealth work. TROJ_RECOLOAD.A employs several anti-analysis techniques before performing its main routine.

  1. It checks if modules related to virtualization, sandbox and analysis tools are loaded.


Figure 1. Checks for loaded malware analysis-related modules

  1. It checks if the current user of the infected system has user names related to malware analysis.


Figure 2. Checks for malware analysis-related user names

  1. It has a list of hashes of analysis tool’s process names that it will check if running. Here are some of the processes being checked:
    • wireshark.exe
    • dumpcap.exe
    • Tcpview.exe
    • OllyDbg.exe

If any of the conditions are met, it will not proceed with its main routine.

PoS reconnaissance

TROJ_RECOLOAD.A performs reconnaissance in the system to determine which payload is suitable for the infected system. It has three cases for selecting the payload.


Figure 3. Payload selection routines

Looking at the POS_Reco function above reveals how each case is satisfied.


Figure 4. PoS Reconnaissance (click the image to enlarge)

Case 1: type=555 and 922

I decided to highlight the string type={case} as the malware uses it as a tracker. That string will be concatenated to the URL that will be used as an identifier of which malware to download. The URL format will be as follows:

  • http://{C&C server}/photolibrary/?user={encoded user and computer name}&id=13&ver=115&os={OS information}&os2={OS Version}&host={bool}&k={variable}&type={depends on case}

In Figure 4, we can see that there is a list of URLs related to PoS systems. The malware will search for those URLs in the URL cache in the function that will be referred to as Search_URLCache.


Figure 5. Searching for PoS-related URLs in the URL cache

TROJ_RECOLOAD.A will also download the malware if it finds the string Verifone in the date of the registry below, which contains the list of installed applications:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    DisplayName

As we mentioned earlier, Verifone deals with electronic payments and PoS transactions.

Case 2: type=666 and 922

The malware looks ar the output of the command net view, which gives the list of computer names in the network to check for the following strings:

  • POS
  • STORE
  • SHOP
  • SALE


Figure 6. Searching for PoS computer names in the network

Case 3: type=505

In Figure 4, the variable POS_case is set to 3 by default in the start of the POS_Reco function. This means that this is the case if the two conditions above are not met.

Analyzing the payloads

Unfortunately, the C&C servers were already inaccessible during our analysis so we weren’t able to acquire the different payloads for each case. Below is the payload of the first case, when type=555.

Payload of Case 1 (type=555), signed version of itself

This version statically looks very similar with the first stage malware, TROJ_RECOLOAD.A. However, this version has a different routine. TROJ_RECOLOAD.B will not perform POS reconnaissance but instead will search for the web browsers’ processes. After injecting itself to the legitimate process explorer.exe for persistence, it will check if the said processes are running.


Figure 7. TROJ_RECOLOAD.B checking for running web browsers

TROJ_RECOLOAD.B will inform its C&C server by creating a hash value that will be used in the k parameter of the URL. The URL structure is similar to the first stage malware but has several differences, which we’ve outlined below.

Parameters

1st stage (TROJ_RECOLOAD.A)

2nd stage (TROJ_RECOLOAD.B)

directory

photolibrary/

yovovitch2/

id (botID)

13

11

ver (build version)

115

15

Figure 8. URL parameters of the two malware


Figure 9. Creating hash value for k parameter


Figure 10. Building the URL including the k parameter

One possible reason behind the search for Chrome, Firefox, and Internet Explorer is that the malware is looking for web-based terminals.

It’s worth noting that TROJ_RECOLOAD.B seems to be less stealthy since it installs itself by dropping a copy of itself to the %Windows% (C:\Windows) directory and creates an autostart registry entry

The threat actors might have decided that since the 1st stage malware has bypassed detections, it is safer to install the 2nd stage malware. We call TROJ_RECOLOAD.B as 2nd stage since we’ve found more types to be used in its URL parameters to be sent to its C&C server to download other malware.


Figure 11. More types to download other malware

A type of progression?

Using exploit kits can be seen as an ingenious way of distributing PoS malware. Like using a botnet, exploit kits widens the net cast by cybercriminals for potential victims. Of course, using a compromised site or malvertistements wouldn’t necessarily guarantee that a PoS system will be caught—which is where the filtering comes in.

Looking into the malware code, we find some indicators that the malware authors are very observant of the security industry. For example, in TROJ_RECOLOAD.A’s .data section, it looks for both malware related modules and common user names used in sandbox analysis – an approach that has been observed on some malware documented last year.

Countermeasures

Exploit kits—as their name implies—rely on vulnerabilities in order to successfully infect systems. Users should always install updates for their applications whenever possible. However, installing software updates isn’t the end-all and be-all for exploit kits. It’s possible that exploit kits may use zero-day vulnerabilities. This is where other safety practices come in. For example, avoid visiting sites that are unfamiliar or unknown. Prior to visiting an unknown web site, you can use the Trend Micro Global Site Safety tool can help check if a site is safe to visit or, better yet, use an endpoint protection suite that evaluates websites upon access.

Since RECOLOAD malware may possibly target web-based terminals, we highly encourage admins to be strict about filtering web-based content as some of these terminals may be remotely deployed, outside the protection of the main office. As web browsers can be used to navigate to non-business related web sites, they should make sure that the terminals only connect to the sites that they need to connect to; whitelisting these expected URLs can help filter out and block possible entry and exfiltration vectors.

Administrators can employ several key security measures to help secure their PoS systems. Three key points for protecting Pos systems includes the following:

  • OS hardening – making an OS more secure by reducing its surface of vulnerability exposure
  • Web-filtering solutions – restricting what URLs and websites users or endpoints can visit
  • Unified threat management (UTM) gateways – using network security products that unify multiple systems and services into a single engine or appliance.

More details can be found in our paper, Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.

With additional insight from Jay Yaneza.

Hat tip to Kafeine for sharing the decoded payload of type=555 in Case 1, which we detect as TROJ_RECOLOAD.B.

Read more: Angler Exploit Kit Used to Find and Infect PoS Systems

Story added 28. July 2015, content source with full text you can find at link above.