New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts

We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.

Figure 1. CreateToolhelp32Snapshot to enumerate processes

Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.

Figure 2. Screenshot of reading process memory

Figure 3. Logging of data

It has an exclusion list that functions to ignore certain processes where track data is not found. It gathers track data by scanning the memory of the all running processes except for the following:

smss.exe
csrss.exe
wininit.exe
services.exe
lsass.exe
svchost.exe
winlogon.exe
sched.exe
spoolsv.exe
System
conhost.exe
ctfmon.exe
wmiprvse.exe
mdm.exe
taskmgr.exe
explorer.exe
RegSrvc.exe
firefox.exe
chrome.exe

This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

Data Exfiltration Mechanism

The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:

Figure 4. Screenshot of command used to transfer data

The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on 10.44.2.153 drive D.

In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.

Countermeasures

PoS malware can possibly arrive on the affected network via the following means:

Targeting specific servers by point of entry and lateral movement
Hacking network communication
Infect machine before deployment

As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.

The related hash to this threat is b57c5b49dab6bbd9f4c464d396414685.

With additional analysis from Numaan Huq

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts