trend report point of sale (pos) malware › wp-content › uploads › 2015 › 06 › ...reported,...
TRANSCRIPT
Threat Detection
Telefónica
Trend Report
Point Of Sale (POS) Malware
19/05/2015
Threat Detection | Trend Report | 19/05/2015
Telefónica 2 of 19
Main Findings
Point-of-sale (POS) systems are one of the most critical components in any retail industry,
remaining the main entry point of consumer data into merchants’ information environment.
POS malware targets the weak link in PCI-DSS, utilising ‘RAM Scraping’ techniques to parse
memory processes on POS terminals before card data is encrypted. A mature cybercrime
model responsible for the majority of confirmed data breaches, its intrusion methods such as
phishing and social engineering are often targeted but nothing new. Exfiltration of data
however can be complex and is often based on detailed network knowledge.
Compiled breach statistics are by definition a trailing indicator of criminal activity, and
focusing too much on headline grabbing mega-breaches belies that from a frequency
perspective, small and medium sized enterprises are most affected. However a lack of
awareness of a breach, and the limits on subsequent disclosure presents a significant problem
for all organisations. Average time between breach and detection appears to be narrowing, but
the number of detections in Q1 2015 outstripping the previous two years is also a narrative of
soaring propagation rates.
Industries with very high card transaction volumes, such as retail, accommodation and
entertainment are most at risk from the targeted approach often used during a POS malware
campaign. The size of the U.S economy, combined with the late adoption of EMV ‘Chip and Pin’
technology makes this a target rich environment for POS malware, and will almost certainly
remain the most targeted during 2015. Technical analysis reveals heavy development
occurring across a few key codebase variants, with some strains adopting nation-state level
complexity and others stripping back and removing unnecessary overhead. Operating in a POS
data environment set to remain largely Windows XP based for several years, it offers a readily
available, proven codebase currently unthreatened by obsolescence.
Drivers behind innovation in POS systems are improving the consumer experience, harnessing
cost and maintenance benefits of cloud hosted services, and improving efficiency through
integration with other business applications. In many cases security and segregation of POS
systems are simply overlooked. The October deadline of U.S EMV implementation, possibly to
be precluded by a volumetric surge in attacks, will likely only lessen the risk for large
organisations, and even then, data remains that enables fraudulent e-commerce transactions.
While the manner of fraud perpetrated will adapt to the technical environment, in the criminal
marketplace, any personally identifiable information is a valuable commodity; both in itself
and also as part of subsequent data theft campaign to build a more comprehensive identity
portfolio. While it is possible large companies may be able to limit the risk of protracted ‘mega
breaches’, the upwards trajectory of POS malware in 2015 shows no signs of slowing.
Threat Detection | Trend Report | 19/05/2015
Telefónica 3 of 19
Contents
MAIN FINDINGS 2
CONTENTS 3
INTRODUCTION 4
THREAT LANDSCAPE 5
KEY FEATURES & ANATOMY OF AN ATTACK 8
EVOLUTION OF POS MALWARE 11
FUTURE 12
MITIGATION MEASURES 15
ANNEX A – POS MALWARE VARIANTS 17
Threat Detection | Trend Report | 19/05/2015
Telefónica 4 of 19
Introduction
Inception of POS malware
Many early data breaches employed network-sniffing malware capable of capturing
unencrypted card data while in transit. Key components of the subsequent reaction to these
early breaches were the establishment of the Payment Card Industry Data Security Standard
(PCI-DSS), and limited adoption of EMV (‘Chip and Pin’) technology; both intended to protect
cardholder data by helping businesses process payments securely and reduce card fraud.
These measures led attackers to target the point where the card data entered the system, the
point of sale (POS) terminal. A POS device refers to an in store system where customers
conduct transactions with merchants, often swiping a payment card through a reader,
commonly part of a larger sales system. A far from exhaustive timeline that illustrates some
of the headline making data breaches that were caused by POS malware is shown in Figure 1.
Figure 1. Illustration of POS Malware breach headlines 2002 - 2015.
Security controls now commonly result in end-to-end encryption of card data when it is
transmitted, received or stored, although when the data is first read from the card, it can be
found within the RAM of the POS device in an unencrypted form. Unlike a keylogger, this
provides all the card information and, despite a warning made by Visa in 2008, became an
attractive vector for cyber criminals who began quietly honing techniques and paving the way
for continued mega-breaches particularly in the US.
Threat Detection | Trend Report | 19/05/2015
Telefónica 5 of 19
Monitorizing credit card information
Basic credit card data comes in several forms, known as Track 1 and Track 2. Track 1 data is
information associated with the actual account, includes the cardholder’s name and the
account number, with the credit card number and expiration date located on Track 2. There
are a number of different methods that criminals can employ to commit fraud with this level
of stolen data, such as encoding the data onto fake cards or conducting transactions that do
not require the physical card, such as during online transactions. Factors such as the type of
card or if supplementary personal information is supplied ratchet up the value of stolen credit
card data to fraudsters. The increasingly easy monitorization of stolen credit card data in
recent years via online marketplaces such as Rescator.cm, offering a user-friendly interface
and even refunds on card numbers that do not work, has cemented this as a lucrative criminal
enterprise.
Figure 2. Rescator.cm Website.Threat landscape
POS malware currently accounts for a very low percentage of overall security incidents
reported, Verizon’s 2015 breach report placed this figure at a lowly 0.7%. However when
focusing on confirmed data breaches, POS intrusion was the most common cause, responsible
for 28.5% of all breaches reported by the reports respondents. Previous analysis has
discovered that that the vast majority of data breaches are successful within seconds to
minutes, yet 85% of intrusions targeting POS systems take weeks to discover, and 99% of
POS breaches are discovered by an external source, usually law enforcement. In the interest
of non-disclosure the samples discovered are rarely widely circulated, hindering security
researchers and, subsequently, the ability for organisations to defend themselves.
Threat Detection | Trend Report | 19/05/2015
Telefónica 6 of 19
Figure 3. Frequency of incident classification patterns with confirmed data breaches.
Although payment card data might be the most obvious target for cyber criminals, and
accounted for the greatest year-on-year increase of stolen information types during 2013-
2014, the more comprehensive a stolen identity profile is, the more value it has on
underground markets. ‘Fullz’ profiles, bolstered by email addresses, government ID card data
and date of birth for example can facilitate more complex fraud.
Figure 4. Types of information exposed.
While it has often been the large retailers who have garnered the most media attention, POS
intrusions account for a rapidly growing proportion of the overall incidents across the
Threat Detection | Trend Report | 19/05/2015
Telefónica 7 of 19
accommodation, entertainment and healthcare industries. Nor is it just a concern for large
enterprise, POS malware targeting small retailers has been a criminal cash cow going back as
far as 2002. The low risk, opportunistic attacks offering a steady stream of card details, albeit
at a low volume are often eclipsed by the large breaches which often require a more advanced
multi-phased approach.
As many businesses outsource their POS solutions, by compromising a POS vendor, attackers
are often able to take advantage of poorly secured remote administration tools and breach a
multitude of different businesses. The pattern of such attacks, often affecting small
businesses, which lack the layers of security controls emplaced at larger enterprises can be
difficult to identify, even for complex fraud analytics due to the indirect relationships with the
issuing banks. So while a single large data breach may net a huge volume of card details, only
a fraction of these are actually able to be sold, so a smaller overall but distributed breach could
actually be more efficient. Notably it is rarely the POS vendors’ name that makes the news,
and responsibility follows the data, with the blame remaining firmly with the organisation that
collected the data. Adapting to changes in the marketplace, criminal attack methods are
becoming more varied, and although not as newsworthy, this poses as much of a risk to small
enterprises.
Figure 5. POS intrusions as an increasing percentage of overall data breaches per industry 2013-2014.
In terms of geographic spread of POS malware the U.S is the most targeted country, which
given the size and consumer habits of the economy may be unsurprising. The fact that EMV
technology has not been implemented in a marketplace where the use of credit cards is
commonplace also makes it an attractive target for international cyber criminals. Information
security industry surveys respondents are usually heavily drawn from U.S based companies,
and the fact that certain countries are more likely to disclose, or even be aware of data
Threat Detection | Trend Report | 19/05/2015
Telefónica 8 of 19
breaches should be taken into account when comparing international spread. Despite this, and
also that some malware variants are focused against a specific region, the overall geographic
spread illustrated in Figure 6, which represents a snapshot of Q4 2014 can be viewed as a good
approximation of the trend.
Figure 6. Geographic spread of discovered ‘RAM scraping’ POS Malware Key features & anatomy of an attack.
The way POS malware operates can be viewed in three areas; general characteristics, data-
collection method, and data-exfiltration method.
General Characteristics
This describes functionality seen in malware regardless of purpose, such as code injection,
self-updating, socially engineered file names as camouflage, or in variants that have evolved
from other types of malware. The FighterPOS variant discovered in April 2015 retains botnet-
like capability for conducting both layer 4 and layer 7 DDoS attacks for example, flexibility that
is a valuable selling point in underground marketplaces.
Data-collection method
This incorporates the process from discovery of data from custom searching, and blacklisting
of processes, through direct collection through RAM scraping, and keylogging, and also the
way that the data is validated and encrypted prior to exfiltration.
Data-exfiltration method
During the evolution of RAM scraping POS malware, HTTP POST requests have historically
been the preferred method of exfiltration as they are not saved, cached, and do not have size
Threat Detection | Trend Report | 19/05/2015
Telefónica 9 of 19
restrictions. However, recently discovered variants have been found to utilise a much wider
range of techniques.
These techniques can only be effective when POS malware has penetrated the cardholder
data environment (CDE) and, while PCI-DSS recommends this be segregated from other
internal and external networks, due to the impracticality of implementing this it is not
mandated. Small enterprises may even have a POS system that directly connects to the
internet. However, most retailers processing large volumes of card data will segment the POS
network from the external network appropriately, meaning an attack on a POS system will be
a multi-phase process traversing the corporate network or even the supply chain.
Infiltration
Methods of infection of POS malware are therefore the same available to any other threat
agent; social engineering, physical access, SQL injection, or phishing such as the email to a
POS vendor shown in Figure 7, assessed to be connected to the POSeidon malware variant.
Highly targeted emails with malicious attachments or embedded links are particularly
effective against smaller businesses without corporate security policies, and this also limits
potential of malware exposure to security researchers.
Figure 7. PoSeidon Logo & a phishing email campaign used to target POS vendors.
Lateral movement
Because the POS system needs to be accessible for updates, maintenance and have
connectivity to external servers and payment processors to function, data pathways must
exist within the internal network. Access can be gained to the CDE through escalating
privileges through a variety of methods, such as utilising Trojan keylogger functionality or
brute forcing passwords.
Threat Detection | Trend Report | 19/05/2015
Telefónica 10 of 19
Persistence and obfuscation
Researchers examining POS malware compilation times have found indications that the
malware on many occasions has infiltrated the network for months before discovery. The
manner in which this is achieved varies from utilising small binaries, limited functionality and
hiding in plain sight, to harnessing modular design, encryption, and kill-switch functionality.
Information stealing
As network-sniffing is often now rendered obsolete by P2PE, all the variants analysed in this
report used ‘RAM scraping’ functionality, parsing memory processes for card data strings.
Nearly all of the variants also perform immediate validation on the data, usually with the Luhn
algorithm before preparing the data for exfiltration.
Figure 8. ‘Backoff’ Malware memory scraping code.
Exfiltration
Methods to extract the stolen data can also vary greatly between variants. Some simply use
a hardcoded path to a location in the internal network to store the data for later extraction,
with others utilise externally connecting protocols such as SMTP or DNS requests. While
LogPOS and Chewbacca variants have adapted techniques used by APT groups to use IPC
mailslots and anonymising networks respectively to exfiltrate cardholders’ data over HTTP.
An individual breakdown of the key malware variants can be found at Appendix A.
Threat Detection | Trend Report | 19/05/2015
Telefónica 11 of 19
Malware infection via the network has become the most frequent attack vector, although it is
also possible at the device level. This can be perpetrated by anyone with physical access to
the device such as an employee, or also even before deployment during the supply chain, as
previously observed with smartphones for example.
Evolution of POS Malware
The wide availability and relatively cheap price of POS malware source code ensures that
newly discovered strains often bear close resemblance to a previous malware variant.
Particularly since the source code of BlackPOS was leaked, the last several years have seen a
notable increase in POS malware propagation. The constant stream of new malware families
discovered in the first quarter of 2015 has amplified this upward trajectory. As indicated in
Figure 9, when a new variant is released it can result in significant propagation peaks.
Figure 9. Evolution of POS malware variants and ‘Backoff’ POS Malware propagation patterns Q1 2015.
Threat Detection | Trend Report | 19/05/2015
Telefónica 12 of 19
POS malware can be bought as an off-the-shelf exploit kit, easily modifiable and re-deployable
with little programming skill. Equally, skilled malware authors have tailored the functionality
to operate in specific network environments, utilising complex botnet like capabilities.
Conversely, some authors have reduced all unnecessary overhead, keeping the focus tight and
the codebase small enough to often fly under the radar.
POS malware analysis is largely hindered due to legislative barriers surrounding law
enforcement investigations, and new samples are often not freely distributed. The
withholding of some technical details can also convolute any analysis and has the potential to
distort any attribution. Despite press reporting claiming the Russian state was behind large
data breaches in the U.S in order to destabilise the economy, POS malware can often be
directly attributed to criminal groups acting for financial gain. Albeit as examined code would
suggest often authored by Russian speaking individuals.
Future
POS malware adapts to the nature of the payment systems that it must operate within, so
future technology trends and innovation must be considered in order to predict the changing
threat landscape.
Payment Innovation
While most developed countries have moved to implement EMV technology in the past
decade, notably the US has been a late adopter due to the complexity of rolling out new
technology on the scale of the payment infrastructure. The implementation roadmap has a
deadline of October 2015 for merchants, however this is only the date when the card issuer
ceases to be liable for non-compliant POS systems. The initial implementation will also allow
‘Chip and Signature’ instead of a PIN.
EMV technology only protects against physically stolen cards and card counterfeiting
however, and while its implementation in the UK reduced in-store card fraud by 75% in 8
years, fraudsters merely changed attack vector, conducting transactions that do not require
the physical card. As a result of increasing e-commerce transaction volumes, card not present
fraud is in fact predicted to rise with or without the implementation of EMV. Advanced fraud
analytics can also assist, and had an impact after implementation in the UK during 2008, but
this can only help in mitigating losses once a breach has already occurred. In cases where POS
vendors have been breached, the lack of a common point of purchase hinders such analytics
even further.
Threat Detection | Trend Report | 19/05/2015
Telefónica 13 of 19
Figure 10. Figures in millions (£) of UK credit card fraud and countermeasure implementation date.
While retailers adopting EMV will reap the benefits of reduced fraud risks, its implementation
is not a silver bullet to eliminate POS malware or lessen the impact of the large US data
breaches. Criminals have already developed a variant of a ‘replay’ attack targeting banks that
are in the process of upgrading their payment networks to handle EMV transactions,
leveraging the change process as a temporary vulnerability. Additionally, the October deadline
will be well known in criminal circles and a surge in POS malware is possible as malware authors
rush to release new variants, however further development after this date will continue to
provide returns for criminal organisations.
Mobile payments & POS System Development
Innovation in retail technology is now allowing enterprises to re-imagine the physical layout
of a store, changing the manner in which employees and customers interact and pay for goods
and services. The rise of digital marketing and e-commerce has also driven the building of
digital identity at point of sale, and additional data such as email and phone numbers are now
frequently collected in this manner. Web-based mobile POS (mPOS) technology deployed on
internet-enabled devices can remove the requirement for large sales counters and is
affordable for even small retailers. A card reader attached via Bluetooth or an audio jack
facilitates the transaction, and as most mPOS devices use Android or iOS operating systems,
this could initially limit risk exposure as most current POS malware is not written for these
platforms. However POS malware authors have demonstrated intent and capability to target
individual businesses, and in driving POS transactions to be as swift and enjoyable as possible,
there is a risk that the security of new features may be overlooked.
Threat Detection | Trend Report | 19/05/2015
Telefónica 14 of 19
Figure 11. mPOS and mobile payment devices.
Likewise, the uptake of Near Field Communication (NFC) and digital wallet technology using
tokenization and virtual credit cards opens up various new vulnerabilities of their own, but
importantly does protect the credit card data. This will not hinder POS malware operating, but
it potentially makes the data available through RAM scraping far less valuable, as the
authentication takes place on the device not the POS terminal, and no card details are
transferred. It is also possible for merchants to employ secure POS devices, capable of
enabling Point-to-Point Encryption (P2PE) immediately from the initial card swipe, and
therefore denies POS malware from scraping any unencrypted data. However as banks
generally charge a per transaction fee for this service, it is often not viable for small retailers,
and widespread uptake of any changes at POS will not occur in the short term.
Operating System Upgrades
Despite the launch of Windows 8 variant, ‘Windows Embedded POSReady 8’ in 2013, many
POS systems still run POS variants of Windows XP. Unlike Desktop support for Windows XP,
support for Embedded Windows XP for POS continues until 2016, and will likely be in
widespread use for long after this date, particularly in small businesses. Existing malware will
therefore be able to be repurposed for POS targets for some time to come, lowering the barrier
to enter the field for malware authors. The more advanced variants of POS malware have
already been observed on current versions of Windows, and it is likely this source code will be
widely available to criminals before most POS systems upgrade to more advanced OS.
PCI-DSS
As the research has demonstrated, even a PCI-DSS compliant organisation can be vulnerable
to POS malware. Therefore while the standard is useful for implementing layered security, it
must be viewed from a risk standpoint as opposed to merely a compliance level to achieve,
and also consider additional out of band security controls. Additionally, much of the guidance
on controls protecting cardholder data has only been considered best practise, and measures
Threat Detection | Trend Report | 19/05/2015
Telefónica 15 of 19
such as protecting POS systems from physical tampering only become mandatory on 30th
June 2015.
Mitigation Measures
Control measures exist that prevent POS malware from stealing payment card data, although
they will not be suitable for organisations of all sizes and business vertical, however while the
malware has evolved, the methods used to penetrate the network are largely similar.
Exfiltration methods however are often based on detailed knowledge of the network, ensuring
the need to be especially vigilant, assuming the network has already been penetrated.
Basic security hygiene and awareness of threat landscape
Basic training regarding phishing, password policy and remote access for example would keep
employees alert to threats. Simple network hardening through patching, privilege
management, monitoring for changes to Registry keys, and application control will likewise
prevent many threats. Keeping up to date of all latest threat vectors, signatures and
exfiltration methods will enable optimal configuration of POS and network controls.
Supply chain and POS vendor selection
If POS services are to be outsourced, the chosen vendor should be contractually bound to
conduct of appropriate security measures, many data breaches have been conducted by
attackers using default passwords on vendors’ remote access tools. Anticipation of a breach
scenario will assist in creation of contractual areas such as responsibility, escalation and
liability limitations.
Segmented networks and monitoring
While external communication is a functional necessity for POS systems to transmit data and
update software, the cardholder data environment should be segregated as much as possible.
It is also good practice to assume a breach has already occurred and scrutinise outgoing traffic
as much as inbound. Variants only becoming active in business hours and exfiltrating data via
DNS, mailslots or hiding in plain sight within normal network traffic ensures that to be
protected, organisations must remain vigilant.
Point-to-point encryption
Removes the opportunity for RAM scraping malware to obtain track data by encrypting from
the initial swipe; if implementation is viable.
Threat Detection | Trend Report | 19/05/2015
Telefónica 16 of 19
Two-factor authentication
Restrict number of users able to access the CDE, and implement two-factor authentication at
all entry points.
Mobile payment methods
Although not in wide use the use of payment systems such as Apple pay and Google wallet
never actually reveal the consumers card details to the merchant over the POS system,
instead using tokenisation or a virtual card system.
Fraud Analytics
Banks have developed algorithms to model normal card usage per customer and therefore
subsequently be capable of identifying anomalous, possibly fraudulent behaviour after it has
occurred.
Threat Detection | Trend Report | 19/05/2015
Telefónica 17 of 19
ANNEX A – POS MALWARE VARIANTS
BlackPOS
Media coverage of the Target data breach highlighted the use of the malware BlackPOS.
Developed by 17-year old Russian hacker Sergey Taraspov in 2010, variants were sold on
underground forums for as little as $2000 after the source code was leaked online. The
malware had been part of a wide-ranging criminal operation that from the Target data alone
was expected to generate $53.7 million.
BlackPOS variants search the process memory using several methods, either custom
searching for identifier bytes followed by the correct number of digits, or applying the search
to a given number of bytes at a time. Excess data can be collected using this method as the
results are written to a file on disk and the validation is designed to take place offline after
exfiltration. The data can be exfiltrated in various methods, and email or FTP have both been
observed. The design can be adapted to steal a wide range of data, such as supplementary
personal identifiable information for example, and the utility it affords combined with its
notoriety will likely see further uptake and evolution in the hands of cyber criminals.
LogPOS
While using the common RAM scraping module, the LogPOS variant of malware discovered in
January 2015 was found to have adapted a communication technique previously used by APT
groups. By utilising the IPC mailslot mechanism, the main executable acts as a server, while
code injected into multiple running processes acts a client and writes the card numbers found
to the mailslot. The executable compares running processes to a whitelist and if not present
injects shellcode, this parses for Track information and validates using the Luhn algorithm
before being sent out by the mailslot over HTTP. By using a mailslot in this manner it avoids
detection of stored credit card data strings in a file before it has been sent to a remote site.
FrameworkPOS
A variant of FrameworkPOS was responsible for the data breach at US retailer Home Depot,
compromising the details of 56 million credit and debit cards. Believed to have been created
to mimic some of the features of BlackPOS, it first achieves persistence through installation
of a windows service, then after checking the scanned process is not present on an exclusion
list will search the process memory. After writing discovered card data to a dump file it is
pushed to a samba share on the local network. Like BlackPOS, FrameworkPOS seems to be
off-the-shelf malware that attackers can tailor for specific target sets that they have a good
understanding of.
Threat Detection | Trend Report | 19/05/2015
Telefónica 18 of 19
PwnPOS
Although only discovered by researchers in March 2015, the PwnPOS malware family is
thought to have been active in the wild for several years, and has since been noted in small
and medium sized businesses worldwide. By employing a simple construction of a RAM
scraper binary, and a second binary for data exfiltration the malware has gone un-noticed.
Data is exfiltrated using SMTP and differences in the binary are thought to suggest multiple
authors. Persistence is achieved by including parameters which can remove the malware from
services applet, a common place for anti-malware tools to enumerate malicious entries. The
file remains dormant in the %SYSTEM$ directory until activated, and although effective, using
this location does not future proof the malware beyond versions of Windows XP. The RAM
scraping function searches for strings of Track data and then conducts validation using the
Luhn algorithm before the exfiltration binary creates a Zip file and sends it to a pre-defined
email address with SSL and authentication before finally cleaning the files used.
Mozart
Reported as the malware family used in the Home Depot data breach, as with many other
variants it is thought to have been around for some time before it was discovered. It sets itself
up as a service for persistence and creates a temporary file to store data after being located
by the RAM scraper. Before they are stored, a function parses Track 1 and 2 data and then
uses Luhn for validation before encoding the card numbers in base64. The data stored in the
temporary file is then appended to a file with a hardcoded path in order for the criminal to
retrieve the data from multiple POS machines from one location. Mozart lurks in plain sight,
becoming active during 0900-1800 office hours and using file names that appear legitimate
were the only means of evasion necessary during the theft of 56 million credit card accounts.
PoSeidon
Discovered in the wild by Cisco in March 2015, PoSeidon combines some Trojan capabilities
with the commonly used RAM scraping and exfiltration techniques. It operates by first
establishing persistence, remaining possible on post-XP versions of Windows, then contacts a
C&C server to retrieve a URL from which to download a keylogger and RAM scraper binary. It
then uses the common method of cycling through all running processes not on a whitelist,
following up with Luhn validation and base 64 encoding, before sending out the data over
HTTP, commonly servers located in Russia.
Chewbacca
Found to have infected POS terminals in US retailers in early 2014, Chewbacca also
incorporates keylogger functionality in a relatively simple package with little in the way of
defence mechanisms. After parsing memory it stores the card data a file called system.log.
The communication with the C&C server is handled through the TOR network, sending out the
Threat Detection | Trend Report | 19/05/2015
Telefónica 19 of 19
data over HTTP and with a server side control panel enabling the controller to manage the
botnet and review the stolen card data.
FighterPOS
This POS malware, discovered in April 2015 is the result of a one-man criminal operation,
supposedly a Chilean named ‘AlenjandoV’, and is responsible for stealing more than 22,000
card records from Brazil, Canada and the U.S in just one month. Its author has developed
features from the VnLoader botnet malware, to enable features that can control infected POS
terminals and conduct DDoS attacks. While the RAM scraping component is thought to have
been developed from the NewPOSThings malware, and the finished product retails for around
£3,500 (€5,000). Although written in the outdated Microsoft Visual Basic 6, it still is observed
to function on fully patched systems. It communicates with a C&C server through HTTP,
checking running processes against a list before redirecting the scraped data to a .txt file,
encrypting with the Rijndael algorithm before sending back to the C&C server.