point of sale (pos) malware: easy to spot, hard to stop

Download Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

Post on 17-Jul-2015




1 download

Embed Size (px)


  • Point of Sale (POS) Malware

    Easy to Spot, Hard to Stop

    Darian Lewis Sr. Threat Researcher

    Managed Security ServicesSYMANTEC

  • 2Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

    Evolving POS Malware . . . . . . . . . . . . . . . . . . . .3

    Common POS Malware . . . . . . . . . . . . . . . . . . .4Alina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6BlackPOS . . . . . . . . . . . . . . . . . . . . . . . . . . .6VSkimmer . . . . . . . . . . . . . . . . . . . . . . . . . . .7

    Breaching the Perimeter . . . . . . . . . . . . . . . . . .8

    Mitigation and Best Practices . . . . . . . . . . . . . .9

    Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

    References . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

    Point of Sale (POS) Malware


    IntroductionMost organizations worry that they will be the next company showing up on the evening news as the worst data breach ever. The real concern isnt if you will be breached, but when will you be breachedand if youll know it happened before you read it in the press along with your customers.

    The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty.

    Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.1

    This whitepaper takes an in-depth look at: The evolution of Point-Of-Sale (POS) malware

    How attackers breach the organization

    What should be done to mitigate breach losses

    How to proactively detect POS malware

    Evolving POS MalwareAlthough the first POS malware is still in use and effective, POS malware is still being written, and the oldest POS malware is getting new evasion technology updates.

    A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to-peer variant of the Zeus malware that has been around since 2007.

    All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware. Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to obtain even the best passwords and allow attackers to move laterally across the network. Lateral move-ment within the network, compromising hosts as they move, allows the attackers to achieve their end goal of access to POS terminals. The POS malware then does what it was designed to docapture the track information from the magnetic stripe on credit and debit cards.

    With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and debit card track information. They obtain the information when it is at its weakest point in the system, unencrypted in memory, scraping the first step in the identity theft chain from memory, the credit or debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac-tion server or payment processor. The identity theft chain then continues with money drained from ac-counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware obtained online, set up with the stolen information.



    Common POS MalwareThe common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information as quickly and covertly as possible. While some design details separate one variant from another, most malware can be identified easily. In order to illustrate the scope of the problem, below is a representa-tive list of some known POS malware and the AV signatures by which the malware will be detected using Symantec Antivirus:

    Alina (Infostealer.Alina) Process memory dumper that looks for credit card information. Uses simple HTTP for data exfiltration and command and control (C2) purposes.

    Backoff (Trojan.Backoff) Memory scraper and key logger, designed to extract credit card informa-tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST.

    BlackPOS (Infostealer.Reedum) Credit card seeking memory scraper. Exfiltration of stolen data via FTP.

    BrutPOS (Trojan.Bruterdep) Brute force of RDP to gain access to credit card information. C2 via HTTP POST and stolen data exfiltration via FTP.

    ChewBacca (Infostealer.Frysna) Key logger and memory scraper seeking credit card numbers. Uses The Onion Router (TOR) for C2. Also known as FYSNA.

    Decebal (Infostealer.Decebal) Memory scraping functionality looking for credit card information. C2 via HTTP POST. Basic stolen data encoding and upload via HTTP.

    Dexter (Infostealer.Dexter) Memory dumper for specific POS software that seeks credit card infor-mation. Exfiltration and C2 accomplished via HTTP.

    GetMyPass (Infostealer.Getmypos) Process dumper seeking credit card info. No exfiltration or C2 functionality; requires previously established control of infected system.

    JackPOS (Infostealer.Jackpos) Memory scraper seeking credit card numbers. Exfiltration via base64 encoded HTTP POST and simple C2.

    LusyPOS (often detected as Infostealer.Dexter) Credit card information memory scraper. Uses The Onion Router (TOR) for C2 and exfiltration.

    NewPoSThings (vendor write-up) Memory scraper for credit card information and VNC password location. Encrypted data exfiltration and C2 accomplished via HTTP POST.

    RawPOS (Infostealer.Rawpos) Memory scraper for credit card numbers in system processes. Rdasrv (Infostealer.Posscrape) Harvests credit card information from memory. Relies on existing

    remote access for exfiltration.

    Soraya (vendor write-up) Memory scraper and HTTP form grabber seeks credit card data. Checks in with hardcoded C2 server and exfiltrates every 5 minutes.

    vSkimmer (Infostealer.Vskim) Memory scraper looking for credit card numbers. Exfiltration and C2 accomplished via HTTP or USB.



    Symantec Tracks Known Threats As They Evolve and Appear

    While also Identifying and Nullifying the Increasing

    Proliferation of New Threats.

    2009 2010 2011 2012 2013 2014 2015

    Malware Discovery Date

    RawPOSObserved 2.10.13AV Detection: 2.18.14

    RdasrvAV Detection: 6.6.14

    BrutPosObserved 3.1.14AV Detection: 3.12.14

    BlackPos v2Observed 8.29.14AV Detection: 12.19.13

    JackPOSObserved 2.1.14AV Detection: 2.8.14

    BackoffObserved 3.20.14AV Detection: 7.31.14

    LusyPOSObserved 12.1.14AV Detection: 12.12.12

    GetMyPassObserved 11.26.14AV Detection: 11.27.14

    SorayaObserved 6.1.14AV Detection: 6.4.14

    Alina(Kaptoxa)AV Detection: 2.10.13

    DexterObserved: 12.11.13AV Detection: 12.12.12

    vSkimmerObserved: 3.21.13AV Detection: 1.26.13

    DecebalObserved: 1.3.114AV Detection: 9.11.14

    NewPoSThingsObserved: 9.4.14

    BlackPOS (Kaptoxa)AV Detection: 3.29.13

    ChewBaccaObserved: 10.1.13AV Detection: 12.18.13



    AlinaDozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early 2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat-tern. There is also a response code of 666 to C2 HTTP responses where a normal 200 code would be returned. This return code is user-editable in the malware configuration, though, and may return a false positive detection if used alone. The good newsnot many criminals who buy this malware bother to change it.

    Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run-ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal-ware, linking them in a not yet fully understood way.

    Researchers have reported a number of references to an active bitcoin wallet address.2 The wallet ad-dress has been active since August 2013, although it doesnt appear to have been actively used during the lifetime of this malware.

    BlackPOSBlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit cards magnetic stripe, as most POS malware does. This information is then sent to another compromised server within the organization. This is done for evasion and because POS systems almost never have, nor should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2 server, usually as a forum post receiver PHP application using RC4 encryption over HTTP. A commonly observed RC4 key of B0tswanaRul3z has been seen in many samples. The malware updates itself from this server as well.

    Criminals make the malware as easy to use as possible, even building full-featured ad-min panels as shown in Figure 1 for BlackPOS.

    Figure 1: BlackPOS admin panel (Source: Group I-B)3



    VSkimmerVSkimmer has been around for some time, appearing to have been written in 2012 and discovered in March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami-lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in memory: \;?[3-9]{1}[0-9]{12,19}[D=\


View more >