HackDig : Dig high-quality web security articles for hacker

Adventures in PoSeidon genealogy: Tracking a malware family tree

2015-04-09 19:00

In late March, Cisco blogged about an interesting case of Point-of-Sale (PoS) malware. Reading through their description, I couldn’t help but notice that the core exfiltration malware module named by Cisco, FindStr, is in its sixth and possibly even seventh incarnation. Could it be that there are other versions of that PoS malware which didn’t make it to be famous?

 

Looking for command and control

 

Poseidon Square.jpgArmed with the “phone home” string and the IP resolved from one of the contacted hosts (151.236.11.167), I went hunting. The IP and the string didn’t prove to be useful. I suspect this is due to the “home base” host names being extremely volatile. As a result, the IP address as the string is not apparent enough to be a part of automated replication results, which are often quite simplistic.

 

What did help, though, was a part of a referrer URL of the POST request. The URL looked like this: hxxp://etidfortgot.ru/pes8/viewtopic.php

 

What drew my attention was the number after “pes”. Could it be that we are dealing with different versions of the malware as well as of the command and control (C2) server? Perhaps it is a rudimentary attempt at a server side load balancing. Either way, there should be some samples worth looking at. Searching for “pes[1..12]/viewtopic.php” in the replication results gave me a number of samples as shown below.

 

78e445df06d81d872d4011184188f8218d0ed3c1e641679f5a3e1d0c3a6e5559 /pes12 vers=6.03 73ffd3f2766ca107382d5a9c64a91b17e6adaf7b202fad85cf7b564f300fb86f /pes11 vers=6.02 ddf9bd20283c837cb6a6071c45563bd70890a537413603f0508b39973ffea4e0 /pes9 vers=6.00 6a7ce1b73cc65c8af11738b6d5e1acf9e9183a4f57a36547c715bb5041d14f0a /pes8 vers=6.00 38348805d728f816b13667d53b2d20dbd46212d94594dc98b191a01f9f3d090e /pes8 vers=6.00 e81a858fca04b2a9c72b40a6e56be236d8e9491da3d7c53b1fd012c14c6b90a2 /pes7 vers=5.90 9e295d3807772889585d16cb5f334156f0c866cc50fbbbde8bc8ce9266ad4d21 /pes6 vers=6.04 6d73793894b9a8f0404e5378c7edf68243da67b907e634231fc629860d24a6d9 /pes4 vers=6.04 40680dbfb20fbb536bc04cffd886eb33481b655b978d213cd4c0b421cc8e245b /pes1 vers=2.1 7b78170a7a29a689788aea9d45af0365af9ea35693735e94857bb03a13d547dd /pes vers=8.3

 

Analyzing these samples further, I noticed that they did not rely on a downloader to establish its system boot persistence. They would drop copies of itself into %system32% and/or the %user% directory with randomly build alphabetical names (e.g., gdohdohq.exe) and set

 

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

 

and / or

 

HKEY_CURENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

 

registry keys to point to a dropped copy of the malware, which ensures the Trojan will continue to re-spawn after a reboot. The system install behavior, as well as the network traffic, was consistent across the sample set. This implies we are dealing with the same malware family.

 

Unfortunately, the naming convention for this malware family hasn’t caught up with it. This may be due to the low impact of the samples found in the wild, the lack of an in-depth analysis, the number of the encryption and obfuscation techniques employed by the malware variants, or all of the above. Either way, the names for this family of malware include Win32.Crypt, Mal/Generic, Win32.PackedAP, Trojan.Foreign, Trojan.Agent, Trojan.Win32.Generic, and WS.Reputation.1. What we see is quite a name disparity among anti-virus (AV) vendors, and it highlights the fact that most of the samples were automatically or heuristically signed or detected.

 

It was also noted that all but one of the samples generated a C2 communication string similar to the “FindStr” module described in Cisco’s blog. The variation contacting /pes/viewtopic.php had a different string format. It didn’t communicate back Base64-encoded “computer name and domain / user name” information and only had an encoded MAC address in the uid field. Also the version number of the malware was set to 8.3

 

uid=[1-9]{19}&win=<major>.<minor>&vers=8.3

 

where [1-9]{19} is a regular expression identifying 19 digits for the uid field.

 

Beginning with variants associated with pes1, pes4, pes6, pes7, pes8, pes9, pes11 and pes12, the string was almost identical in its format, with one major difference – the versions, which they claimed were vers=2.1, vers=6.04, vers=5.90, vers=6.00, vers=6.02, vers=6.03 and vers=6.04.

 

The distribution of the versions in pes6 and pes4 cases means that there’s probably an ongoing “recycling” effort, utilizing an already established infrastructure of C2 servers tailored towards the needs of newer variants of the malware.

 

Social engineering attempts as a vector of malware propagation

 

Most of the samples from the list pretended to have legitimate developer metadata, which when coupled with a file name and a legitimate icon could aid the malware distribution. The developer metadata observed was as follows:

 

SHA256: 7b78170a7a29a689788aea9d45af0365af9ea35693735e94857bb03a13d547dd

Copyright: Copyright (c) Informer Technologies, Inc., 2007-2014

Publisher: Informer Technologies, Inc.

Product: Software Informer

Internal name: Software Informer

File version: 1.4.1233.3

Description: Software Informer

 

 

SHA256: 40680dbfb20fbb536bc04cffd886eb33481b655b978d213cd4c0b421cc8e245

Copyright: Copyright 2005-2014 YL Software

Publisher: YL Software

Product: WinUtilities System Control

Original name: ToolSysControl

Internal name: ToolSysControl

File version: 2.6.0.2

Description: WinUtilities System Control

 

 

SHA256: 6d73793894b9a8f0404e5378c7edf68243da67b907e634231fc629860d24a6d9

Copyright: Copyright (C) 2014 SWGSoft P

roduct: jeta-aaalogo Application

Internal name: jeta-aaalogo

File version: 1.0.0.4

Description: jeta-aaalogo

 

SHA256: 9e295d3807772889585d16cb5f334156f0c866cc50fbbbde8bc8ce9266ad4d21

Copyright: Copyright (c) 2005-2014

Publisher: IObit

Product: IObit Malware Fighter

Original name: IObit Malware Fighter

Internal name: IObit Malware Fighter

File version: 2.5.0.8

Description: IObit Malware Fighter

 

SHA256: 73ffd3f2766ca107382d5a9c64a91b17e6adaf7b202fad85cf7b564f300fb86f

Copyright: Copyright (c) Informer Technologies, Inc., 2007-2014

Publisher: Informer Technologies, Inc.

Product: Software Informer

Internal name: Software Informer

File version: 1.4.1233.3

Description: Software Informer

 

SHA256: 78e445df06d81d872d4011184188f8218d0ed3c1e641679f5a3e1d0c3a6e5559

Copyright WiseCleaner.com

Publisher WiseCleaner.com

Product Wise Care 365

Original name WiseCare365.exe

Internal name Wise Care 365

File version 3.4.3.300

Description Wise Care 365

 

It seems the developer information started to appear as part of the malware distribution tactics fairly recently, beginning with versions 6 and above. Ironically, some of the variants claimed to be helpful software utilities for optimizing PCs and fighting malware. Do not confuse this developer information with that provided in digital certificates, as the binaries are not digitally signed.

 

Memory access and scraping in search of credit card numbers

 

Further analysis of the memory scraping techniques presented nothing new, and are already well represented among similar malware targeting PoS applications. The malware makes an effort to avoid memory violation exceptions by staying under radar and not alerting a user of its existence. Upon building a list of memory processes by calling EnumProcesses, it iterates through the list making sure the process is not running under the “NT AUTHORITY” Security ID (SID). The malware only scrapes the process memory pages that have PAGE_READWRITE memory protection. The rudimentary algorithm of the memory scraping technique adopted by the malware is presented in Figure 1.

 

figure-1.PNG

Figure 1 Memory-scraping technique

 

The actual algorithm is elaborate enough to optimize the number of ProcessRead calls, limiting them to a combined range for consecutive pages that have the PAGE_READWRITE access. This is not shown for the sake of simplicity.

 

Credit card information parsing

 

First, the parsing algorithm is concerned about anything between 30h and 39h ASCII code inclusive, which means numbers. It races through the consecutive numbers, breaking out if the symbol is above 39h or below 30h ASCII code or if the sequence exceeds 25 bytes, as shown in Figure 2.

 

figure-2.png

Figure 2 Initial parsing algorithm

 

If any of those conditions are met, it checks the sequence it found to confirm it is indeed no more than 19 bytes. This is as much as the length of the Primary Account Number (PAN) is allowed to be according to industry specifications. Anything above that range is discarded, as seen in Figure 3.

 

figure-3.png

Figure 3 Checking for PAN

 

One might ask why not the program doesn’t check for 19 consecutive numbers right away; I could only speculate. Judging by the generated code, especially in the way the comparison for 19 is done, it looks like either an attempt at obfuscation, or something just as simple as some experiments with a source code left unchecked. 

 

Next it checks if the found sequence of digits is terminated either with “^” or “=”. This further validates the number and distinguishes between the card’s Track 1 or Track 2 sequences, as seen in Figure 3 above. (For a refresher course on Track 1 and Track 2, please see this January 2014 HPSR post.)

 

The entire algorithm is sufficiently aware of the Track 1 and 2 formats to parse and validate information found in memory, such as the cardholder’s first and last name, card expiration date, PAN, and any other discretionary data. The Trojan seems to be only interested in PANs beginning from 3 with a length of 15 digits; or 4, 5, or 6 with a length of 16 digits. These are likely to represent American Express, Discover, Master Card, or Visa, as shown in Figure 4.

 

figure-4.png

Figure 4 Check for credit card numbers

 

A case of déjà vu?

 

Malware with this level of sophistication and an established C2 infrastructure and versioning mechanism doesn’t happen “overnight.” It evolved through continued efforts to stay abreast of detections while adding new attack vectors and update mechanisms. As it happens, I would carefully suggest that the malware family described above, judging by its characteristics and network traffic, is not new -- and can claim originality barely, if at all. Looking at US-CERT Alert TA14-212A, we can see that the described malware has its roots in variations of the Backoff malware dating back to July 2014. Its evolution can be also seen through analysis done by Unit 42 of Palo Alto Networks.

 

I think I’m infected – now what? [Not for the faint of heart: proceed with caution]

 

One of the key things to watch for is weird, out-of-place process names such as the one pictured in Figure 5. To further analyze this process, I used Process Explorer by Sysinternals. Make sure you start it with the administrative privileges. To do so, right-click on the Process Explorer executable and choose to run as Administrator.

 

Figure 5 Process Explorer view (click to open in new window)

 

Once we identify the process, take a look at the printable strings by right-clicking the process name, selecting properties, selecting “Strings in Memory,” and clicking Find. When searching for “AUTHORITY,” you should find a set of similar string to those found in Figure 6.

 

Figure 6 Searching for string "AUTHORITY" (click to open in new window)

 

To terminate the process, right-click on the process name within the Process Explorer and choose “Kill Process Tree.”

Next, let’s have a look in the registry. Specifically, look at the registry keys

 

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

 

and

 

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”.

 

One or both of these keys may have a value pointing to a similarly named executable and its location. Delete the value from the key and delete the executable from the disk.

 

If no other malware was the culprit in this infection, you probably got rid of this malware. Reboot the system and again watch for the processes with mangled alphabetical names.

 

You could try to do all that, or you can run your favorite AV software. Chances are it will take care of it.

 

Conclusion

 

Analysis of this malware family showed that we are dealing with a well-established C2 framework and potentially a number of threat actors behind it. These individuals are quick to react to changes in detection rates and blocking network traffic rules while maintaining the malware family persistence by advancing its version and vectors of propagation.

 

Since IP addresses are more difficult to allocate and change, one way to make it more costly for the perpetrators to operate would be to quickly identify the IP address list in use by this malware family’s infrastructure and block the traffic at the organization’s network edge servers. This prevents the malware from “phoning home” and provides time for network defenders to have a chance to clean the infected system.

Read:2406 | Comments:0 | Tags:No Tag

“Adventures in PoSeidon genealogy: Tracking a malware family tree”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud