Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/25/2016
12:00 PM
Melia Kelley
Melia Kelley
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

A Newer Variant Of RawPOS: An In-Depth Look

There's no silver bullet for RawPOS prevention, but you can impede RawPOS's ability to execute successfully by understanding how it works.

If you discovered malware that steals payment card information had been hiding— undetected—on a client’s machine for a year or more, would you be concerned? What if you knew that variants of this malware had been around nearly a decade, yet the standard AV engines still failed to recognize it? What would you do?

I’ve seen a lot of this type of malware lately—RawPOS. This malware not only had a unique ability to evolve and adapt to changing environments over time, but could also be used to pilfer just about any kind of data that can be searched for using a regular expression, including Social Security numbers, telephone numbers, email addresses, and more. I decided to do some reverse-engineering to see exactly how it works, and devise a strategy for combatting it. Here’s what I learned:

RawPOS is a Windows-based malware family that targets payment card data. It’s been around at least since 2008, hitting the retail and hospitality industries especially hard. Although well-known and relatively easy to understand, RawPOS has proven effective in perpetuating long-term, devastating card breaches. The malware will typically “hide” on a machine for a year or more before the data is withdrawn and sold, and some of the largest breaches go undetected for months or even years. That’s a very effective strategy and genuinely scary.

For the many organizations that still rely on signature-based defense and lack a built-in exfiltration detection mechanism for traffic flow analysis, all it takes for attackers to continue evading detection is a simple file name change and a tweak or two in the code.

How Does It Work?

RawPOS combines three pieces of code to evade detection by ordinary means. Infection is basically a three-part process involving 1) a persistence mechanism, 2) a memory scraper, and 3) an encryption routine. Basically, the malware “scrapes” RAM for a regular expression (regex) that will capture Track 1 and Track 2 payment card data, and then places the data into a dump file to await exfiltration. Early iterations simply combined the memory scraper with the persistence mechanism. Over time an encryption function was added to the dump file.

Persistence mechanism: This ensures the data-scraping malware stays active on the system, even after a reboot. Whenever RawPOS runs, it installs the next component as a Windows service that runs continuously in the background. The particular strain we will examine here—discovered on a client’s casino kiosk—is named MSFSVC.exe. (Other iterations include rdasrv.exe and sppt32.exe.)

Once a service is created on a system, it can be named and described however the author chooses. In our example, the service was given the name Microsoft File Manager Services. Here’s the description: “Creates, updates, manages, and removes files for applications such as S/MIME and SSL. If this service is stopped, certificates will not be created. If this service is disabled, any services that explicitly depend on it will fail to start.” While the service itself was not signed by Microsoft, this description reveals how attackers can avoid admin scrutiny and “hide in plain sight” on a given system. At present, only 25 out of 55 AV engines on VirusTotal recognize the hash for the persistence mechanism as a threat.

Memory scraper: Attackers use this to circumvent existing security controls protecting data at rest and in transit. After it became too difficult to “sniff” a network for PCI data or grab a stored data file without detection, attackers turned to finding the desired data in its ephemeral state in memory. Many locations taking credit card data will have Track 1 and/or Track 2 data unencrypted in memory—though very short lived—for processing at some point.

Memory scrapers such as avicap.exe continuously monitor memory and look for certain regular expressions that match cardholder data. When data is found, the program creates a folder called “Memdump” in the current working directory and begins to export the regex hits. Newer versions of the malware place the data into a .dmp file named after the memory process ID that data was found inside. That data will then be moved into an encrypted file and time-stamped, awaiting exfiltration using an encryption routine.

The names of various iterations of this type of memory scraper vary widely. As of this writing, none of the 55 AV engines on VirusTotal recognized avicap.exe as a threat.

Encryption routine: Once card data has been identified, scraped, and aggregated, the malware is ready to execute its next function. In our example, the service called up a program called msiert.exe, a name that closely resembles names for valid Windows processes such as msiexec.exe, a Windows Installer component. Another version we found was called sqlmgmt.exe, a name that cleverly (if falsely) suggested its removal might disrupt a client’s running instance of SQL.

A fascinating characteristic of this executable is that it utilizes Perl2Exe, a program that will allow the conversion of Perl scripts into Windows executables. That’s good news: Perl2Exe executables are very “loud” and easy to spot if run on a system—if investigators know what to look for. Additionally, there is a way to “break” the code and get the original Perl source code itself, right down to the comments (in Russian) and encryption password. The prolific comments suggest that the code base is constantly being repurposed to suit new environments and evade detection.

The code’s not exactly pretty, but it works. As of the writing of this report, only 15 out of 55 of the AV solutions in VirusTotal recognized the hash of the casino sample as malicious.

Prevention, Detection and Mitigation

There’s no silver bullet for RawPOS prevention, but you can impede RawPOS’s ability to execute successfully. Whitelisting approved programs is a possibility, although probably too aggressive for most organizations. Another, less drastic route would be blacklisting Perl2Exe and other administrative tools that attackers use for propagation, such as PsExec. Finally, visibility on endpoints to determine what’s running and identify anomalous processes is critical to prevent the spread of malicious actors as well as find and mitigate more quickly.

Related content:

 

As a member of UnitedLex's Cyber Risk Solutions practice, Melia works with clients on a wide range of incident response and risk assessment engagements. During her career, Melia has worked on a large number of high profile data breaches both domestically and internationally, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MeliaK840
50%
50%
MeliaK840,
User Rank: Author
5/26/2016 | 8:26:51 AM
Re: greetings!!
Thank you!  Glad it was informative for you.
honey143
50%
50%
honey143,
User Rank: Apprentice
5/26/2016 | 2:29:30 AM
greetings!!
Nice post very informative..
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...