These devices, are an appealing and lucrative target for cyber criminals because these days, they are as bank robber Willie Sutton famously said, “where the money is.” . POS devices process financial card data at cash desks all around the world and as the slew of recent breaches reveal, they require better security. Cyphort Labs took a look at three different POS malware families to reveal whether they are connected or not, where the connections are and what their unique features are.
After the first major success of POS malware breaching Target Corporation in November 2013 occurred, the number of POS device infections in the wild skyrocketed. BlackPOS malware, which was used in the Target breach, had the biggest impact in terms of the amount of systems breached and money stolen. Next in line is FrameworkPOS, the malware used in the Home Depot breach, discovered in September 2014. Both show a targeted nature. The third malware family of interest, Backoff, appears to have been widely used in a more general attack approach.
Cyphort Labs dissected variants of all three families to create an accurate picture of state-of-the-art POS malware. We are confident that we see fingerprints from three different actors behind the mentioned families, but we can also say with certainty one was inspired by the others.
We will be sharing more of these results in person on our Most Wanted Malware webinar at 9AM PDT, Thursday, September 25.
This blog will share with you “early birds” of our findings, and our insights on how point-of-sales systems are breached and how to better apply security measures in the future.
BlackPOS was used in the data breach of the Target Corporation in December 2013. An estimated 40 million credit and debit cards were exfiltrated from Target’s POS systems.
BlackPOS malware consists of multiple components meant to infect either the POS machine itself or a server on the local network. The POS component is multithreaded and each of the components installs a service on the infected machine to ensure persistence and frequent operation.
IP addresses and server names are hardcoded in the binaries, which suggests the malware is clearly tailored for that specific operation. Also it tells the attacker had perfect understanding of the victim’s network. Both binaries include debug information that points to a cybercrime actor named Rescator.
Both involved components install services on the infected machines to carry out their malicious activity. The operation of BlackPOS can be summed up as follows:
- The POS component constantly searches for the pos.exe process in memory
- It scrapes card data from pos.exe’s memory and appends it to a dump file
- A dedicated thread waits for changes on the dump file and when triggered it pushes it to a Samba share on the local network
- The server component fetches the dump file from the share and transfers it via FTP to a remote server in a time interval of 10 minutes
Figure 1 – BlackPOS appending card data to the dump file
At the beginning of September 2014, Home Depot confirmed a massive data breach of (to date) unknown dimensions. In terms of functionality, the malware found on Home Depot’s network resembles the BlackPOS malware used to hack the Target Corporation.
Compared to BlackPOS the malware that struck Home Depot is simpler and more straight-forward. Execution is more linear, key functionalities are implemented differently. Similarities, including the general way of operation and the memory scraping method, are undeniable, but still, we can say with certainty that the authors are not the same.
Figure 2 – FrameworkPOS’ service disguising as McAfee service
An interesting feature shown by FrameworkPOS is how it disguises as a McAfee Anti-Virus service to hide unsuspiciously on the system. Also notable are hidden messages the author included in the code, in form of links to news articles and cartoons. Content of the messages is clearly anti-American, dealing with America’s role in foreign conflicts in Syria and Ukraine.
Figure 3 – Links to news articles and pictures in memory
An estimate from the US CERT says that in the United States alone more than 1000 businesses are affected by the Backoff malware family. Backoff seems to be the most aggressive strain of POS malware, being less focused on specific victims and acting more like common malware. It uses a runtime packer, hides in the file system, adds multiple ways to guarantee persistence and it does not rely in a local infrastructure on the victim’s network.
Also Backoff added a keylogging module, which neither of the other families provides. It does not install a service on the infected machine, but achieves persistence by creating a remote thread in explorer.exe which will restart Backoff if the malware stops running.
Figure 4 – Command processing by Backoff
As opposed to the other two POS malware families Backoff shows standard bot behavior. It receives commands from a CnC server, protects its executable and can update itself.
According to the US CERT there are now at least five different versions of Backoff in the wild (https://www.us-cert.gov/ncas/alerts/TA14-212A):
THE CURRENT POS MALWARE LANDSCAPE
Clearly, all three families give away very interesting insights. Backoff looks like real world malware, it is packed, it hides it’s executable in %APPDATA%, uses registry keys for persistence, takes commands from a CnC server. This behavior is typical for a common bot, just this time coming with a POS scraping feature.
FramworkPOS and BlackPOS on the other hand, are like off-the-shelf software, tailored specifically for dedicated targets. They are most likely not from the same authors but FrameworkPOS leaves the urgent impression of a copycat attack after former POS malware incidents (i.e., Target). Basic principles and ideas are identical: creating a service, scanning chunks of memory, pushing data to a local SMB server or hiding the data in a fake binary file in system root.
Still, the implementation methods look very different. FrameworkPOS is very linear, no multi-threading is performed and the data exfiltration is controlled by time intervals rather than coordinated by two threads. Also, FrameworkPOS scans multiple processes, while BlackPOS limits itself to the pos.exe process of the infected POS device. Interestingly, all three families show slightly different memory scraping methods.
Criminals will always be where the money is. We go to great lengths to protect cash in the brick and mortar world – The question now is, why we aren’t we doing the same online ? POS malware shows once again that enterprises need to operate a solid baseline security while focusing their security solutions heavily on their most valuable assets. Identification and proper risk assessment of a company’s intellectual property is the first step towards prevention of data breaches. Knowing what to look for is equally important, which is why we took the time to share our analysis. For more a deeper dive on these three malware variants, we again invite you to attend our next webinar at 9AM PDT, Thursday, September 25. I would like to thank Paul Kimayong and rest of the Cyphort Labs team for their help with this analysis.