POS malwares has been on the rise since last few quarters . We've been witnessing increasing volume of the malwares targetting Point of Sale devices . These malwares primarily get installed on the windows terminals used as point of sale in the stores , enumerates the process memory and reads the track1 / track2 information from the RAM as and when terminals reads the information embossed in the megnetic strips of the card. This information is the sent back to the C&C server. Apparently , tt could be used by the attackers to clone the card with the same information and further , embossing equipments like CC embosser / Printer / writer machines readily available in the market can be used to make the cards look like the original one . I blogged about one of the similar attack in the past called Vskimmer .
Another attack named BlackPOS very similar to this has been around for a while targetting the Neiman Marcus and Target stores compromising almost 110 Million customers. Neiman Marcus group confirmed this attack :
This has extensively been talked about in the blog post by Xylibox over here. I've had a look at one of the sample related to this attack to see how it exfilterates the stolen information. One of the way malware is found to be generating the network traffic is by executing the commands via "PsExec" sysinternals tool . PsExec is the utility to execute the processes on the remote system. It can invoke the command prompt on the remote systems as well .
BlackPOS connects to the SMB share on the hardcoded IP address 10.116.240.31 which is kind of presumed to be the internal subnet IP of the targetted stores and executes the taskkill command invoking the command shell on the remote system.
It creates the log file with the name of the current system time and date . For instance during the time of execution of this malware it created the file with the name data_2014_2_3_16_11 . It drops the txt file "cmd.txt" in the same directory with the list of commands it would execute from the command shell while opening the FTP connection to the C&C server . Below you can notice the "open" command being used . This can be fired from the command prompt after entering the FTP shell prompt .
Below screenshot shows the dropped cmd.txt file with all the ftp commands along with username and password :
and then eventually launches all the above commands from the cmd shell
All the commands as and when executed are also being logged on the console
While looking at the multiple samples for BlackPOS , we've came across several different IPs being connected to via FTP . However , data exfilteration has been not found to be done via any other protocol.
Point of Sale malwares also nicknamed as RAM Scrappers are increasing in the last few quarters . Apparently one of the reason to directly target the sale devices is its ease of implementation rather than employing the sophisticated traffic interception and hooking methods which has become the history now.
Posts
