FighterPOS PoS Malware Gets Worm Routine - Trend Micro

A TrendLabs ReportFighterPOS PoS MalwareGets Worm RoutineTechnical Analysis

A TrendLabs ReportTrendLabs Security Intelligence BlogJay Yaneza and Erika MendozaTrend Micro Cyber Safety Solutions TeamFebruary 2016

Trend Micro FighterPOS PoS Malware Gets Worm RoutineContentsIntroduction . 43Floki Intruder . 43TSPY POSFIGHT.F . 6Distribution . 9Conclusion . 9TREND MICRO LEGAL DISCLAIMERThe information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice.The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be reliedon or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise.Trend Micro reserves the right to modify the contents of this document at any time without prior notice.Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions ariserelated to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in thetranslation are not binding and have no legal effect for compliance or enforcement purposes.Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of anykind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk.Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this documentshall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoeverarising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of thisinformation constitutes acceptance for use in an “as is” condition.

Trend Micro FighterPOS PoS Malware Gets Worm RoutineIntroductionAfter identifying FighterPOS in April last, year, we found that the threat actor began creatingnew variants of his tool – and he wasted no time doing so. In the months following our initialwrite-up, we uncovered some more versions of the EMV Card Data Recorder, another variant ofFighterPOS (BrFighter) with the name ‘Floki Intruder’, and a very unusual version that borrowscode from both NewPOSThings and a very old 2011 PoS threat called RDASRV.Let us discuss these new discoveries.Floki Intruder (WORM POSFIGHT.SMFLK)Right at the very start, Floki Intruder has an obvious resemblance with the main FighterPOS asit is based from the same vnLoader botnet client. However, its code has been shared and wascompiled on a different machine (possibly a different threat actor).Figure 1:FighterPOS code compiled in two different machinesFloki Intruder appears to be an update to the main FighterPOS due to its added capabilities.This includes commands that disable Firewall and default Windows protection in addition todisabling the UAC. It also checks for other security products installed in the system by usingWMI. netsh firewall set opmode disable4

Trend Micro FighterPOS PoS Malware Gets Worm Routine net stop security centernet stop WinDefendFigure 2. Query execution that detects security products.Figure 3. Hexadecimal value passed via URLFloki Intruder is distributed through a compromised web site, with updated variants beingdownloaded from its C&C server. However, when reaching out to the C&C server, there is aslight change in the message being used by WORM POSFIGHT.SMFLK:Figure 4: Format of a recent FighterPOS sample, [timestamp ID] and a message about a newinfection.5

Trend Micro FighterPOS PoS Malware Gets Worm RoutineAs compared to the initial FighterPOS which used the Portuguese phrase ‘Novo Bot Infectado’ (New Bot Infected), WORM POSFIGHT.SMFLK now has the English phrase ‘New Infection myGod’. The reference to ‘god’ is later seen when it attempts to retrieve commands from the C&Cpanel as the HTTP User-Agent field used is ‘FromtheGods’. However, the C&C panel pageretained the word ‘comando’, which is Portuguese for ‘command’.Figure 5: Comparison between the original FighterPOS and WORM POSFIGHT.SMFLK.The biggest change in this update is its ability to distribute copies itself. By using WMI, thismalware was able to enumerate Logical Drives to drop copies of itself and an autorun.inf.Figure 6. Autorun.inf automatically executes InstallExplorer.exe when the logical drive isaccessed.6

Trend Micro FighterPOS PoS Malware Gets Worm RoutineTSPY POSFIGHT.FAs previously established, FigherPOS is derived from the vnLoader botnet client. It utilizes codefrom the RAM scraping functionality found in NewPOSThings and it creates a new file calledActiveComponent.exe upon execution. This method of reusing components was done again infiles detect as but with a twist: One set uses Searcher.dll (sha1: 41bce7075969591c1667e7ba7ec8717e0def87d1)seen in RDASRV,A more recent set was using the previously seen RAM scraping functionality ofNewPOSThings, dropped with the file name 87500c30b).We speculate that the development of TSPY POSFIGHT.F was seemingly like a trial-and-errorand progressive. The table below should give us a better understanding of the similarities anddifferences of this file set –Figure 7. Comparison of TSPY POSFIGHT.F file set7

Trend Micro FighterPOS PoS Malware Gets Worm RoutineThe pop-up message boxes, as well as the explicit file name references, is an effective way towork-around possible sandbox execution as the message boxes need end-user interactivity andmost sandboxes would not preserve the original file name. Furthermore, , the sample sets ofTSPY POSFIGHT.F were designed to be an upgrade of itself.TSPY POSFIGHT.Fsvcparser.exe(With searcher.dll)TSPY POSFIGHT.FSearcher.exe /Iexplorer.exe(With rsevices.exe)TSPY POSFIGHT.FSearcher.exe /Iexplorer.exe(With rsevices.exe)Terminates and deletesthe following if found inspecific services.exeFigure 8. Progression of TSPY POSFIGHT.FWhile TSPY POSFIGHT.F is not derived from the vnLoader botnet client, the approach (orstyle) used here was similar – namely:a) The main binary could be changed, but the scraper component was reused. The mainFighterPOS reused the scraper from NewPOSThings, while TSPY POSFIGHT.Freused components from RDASRV (sha1:41bce7075969591c1667e7ba7ec8717e0def87d1) and the scraper component fromFighterPOS (sha1: a106bba216f71f468ae728c3f9e1db587500c30b)b) To utilize the output of the scraper component, the main binary had to redirect theoutput. FighterPOS redirected the scraper output to a file called “traces.txt”, andTSPY POSFIGHT.F redirected the output to itself by piping the output of the childprocess (POS module).c) Both FighterPOS and TSPY POSFIGHT.F were seen mostly within Brazil, and somewithin the United States.Since TSPY POSFIGHT.F was not derived from vnLoader, the command control (C&C) servercommunication is different. Unlike the previously discussed variant, TSPY POSFIGHT.F doesnot accept backdoor commands, nor obtain any other information about the infected computer.It only connects to the server to send possible credit card logs that the scraper has gathered.The main executable file monitors the file {computername}-{username} –DPS.log in the ‘bak’folder then sends its contents every hour via HTTP POST with the following arguments: User – combination of computername and username, separated by a dash (-)8

Trend Micro FighterPOS PoS Malware Gets Worm Routine Info – all the contents of the log fileFigure 9. HTTP POST communication with the User and Info sectionUnlike BrFighter and Floki Intruder, TSPY POSFIGHT.F protects its data by encrypting the logfiles. It does a byte-per-byte XOR against a Microsoft Office serial key, ‘VBWYT-BBWKVP86YX-G642C-3C3D3’. The data to be sent via HTTP POST needs to encode the encryptedstring to eliminate special and reserved characters.9

Trend Micro FighterPOS PoS Malware Gets Worm RoutineFigure 10. Encryption of log files and eliminating special and reserved characters.DistributionFloki Intruder (WORM POSFIGHT.SMFLK) has been spotted as early as July 2015 and hasslowed down distribution considerably towards the end of 2015. This version of FighterPOS hasbeen spotted in Brazil and, surprisingly, Singapore. TSPY POSFIGHT.F, on the other hand,has been observed as early as April 2015 mostly within Brazil and the United States. Notsurprisingly, the targets of both are spread across small and medium sized businesses, butwe’ve seen infections in the satellite locations of a larger organization (meaning, not the mainbranch).ConclusionOne of the best practices of protecting such terminals is to segregate their traffic and employstrict access controls but, strangely, the distribution and design of the threats we havediscussed above seem to imply that their targets have bare internet access. Furthermore,WORM POSFIGHT.SMFLK can easily propagate within a networked environment as it abusesthe autorun functionality that are enabled by default in some Microsoft Windows operatingsystem and disabling this may not only help curb this threat, but as well as other worm-enabledthreats as well. Disabling the autorun functionality can be directly done within MicrosoftWindows (https://support.microsoft.com/en-us/kb/967715) or with the use of a Trend Microproduct that has Device Access Control, such as OfficeScan10

Trend Micro FighterPOS PoS Malware Gets Worm inst-Autorun-malware.aspx).Also, since PoS terminals have an expected set of applications to be run, another point toconsider is to implement application whitelisting on the terminals.The modification done on FighterPOS to include other functionalities also echo what we haveseen in other modifications done in old botnet code like what we have observed inWORM KASIDET.Trend Micro detects all of the indicators of both threats, and is constantly in the look-out for suchevolution.11

Trend Micro Incorporated, a global leader in security software, strives to make theworld safe for exchanging digital information. Our innovative solutions for consumers,businesses and governments provide layered content security to protect informationon mobile devices, endpoints, gateways, servers and the cloud. All of our solutionsare powered by cloud-based global threat intelligence, the Trend Micro SmartProtection Network , and are supported by over 1,200 threat experts around theglobe. For more information, visit www.trendmicro.com. 2016 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the TrendMicro t-ball logo are trademarks or registered trademarks of Trend Micro,Incorporated. All other product or company names may be trademarks or registeredtrademarks of their owners.10101 N. De Anza Blvd.Cupertino, CA 95014U.S. toll free: 1 800.228.5651Phone: 1 408.257.1500Fax: 1 408.257.2003

A TrendLabs Report TrendLabs Security Intelligence Blog Jay Yaneza and Erika Mendoza . discussed above seem to imply that their targets have bare internet access. Furthermore, . Trend Micro detects all of the indicators of both threats, and is constantly in the look-out for such .