Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
On December 19, 2013, CEO of Target, Gregg Steinhafel confirmed that Target experienced an unauthorized access to payment card data from U.S. Target stores. During that press release, he stated that the unauthorized access took place in U.S. Target stores between Nov. 27 and Dec. 15, 2013.
Since that time, other victims of POS malware attacks have surfaced including Neiman Marcus and Michaels. And, the blogs are currently rife with reports of other likely retail breaches, all involving memory scrapers (also known as RAM scrapers) targeting POS software systems.
Multiple articles have been written about the malware that appears to have been involved in the Target breach. The memory scrapers and associated pieces of malware include uploaders, database utilities, psexec, etc.
The Fidelis Network Defense & Forensic (NDF) team and Threat Research Team (TRT) have been working multiple breaches involving Point of Sale (POS) software attacks and other memory scraper breaches since 2012. Recently, members of our Threat Research Team analyzed the publicly released malware believed to be involved in the Target incident, as we have been tracking similar variants for more than a year. Here is what our team found.
These are Not Generic Memory Scrapers
It is important to note that these are not generic memory scrapers. The malware that we’ve been tracking is tailored to target individual Point of Sale (POS) systems. Once executed, the malware performs enumeration to search for a specific process in the victim system known to be used to process credit card transactions. Once it finds this preconfigured process, the malware opens the process and parses its memory space looking for cardholder data. Finally, malware writes the stolen cardholder data into a file for exfiltration to the threat actors.
In some cases, the preconfigured payment processing application searched by the specific variants of this malware is most likely selected by the threat actors after they have infiltrated the victim network, found the POS system, and identified which payment processing software is used in the target network. However, the process that the malware is searching for, may in some cases also be identified and targeted through open source research since there is a great deal of open source information available on some POS software systems, including the APIs they use.
Once the malware locates the appropriate POS process and scrapes the card data, it then stores the stolen data into a file in the victim system and tries to mount a share from an internal system to copy the data into it. This compromised victim share is one of several mechanisms used by the attackers to exfiltrate the cardholder data.
It is important to note that during our research we found multiple copies of a key memory scraper targeting POS systems that were packed using UPX. This is a technique used by the threat actors to bypass network security defenses since a lot of benign applications are known to be packed with UPX. In order to avoid false hits many network defense systems will not flag UPX packed files as malicious.
Words of Wisdom for Today’s Retail Companies
Today’s attackers are persistent. They’re constantly improving their tools and tactics, employing new evasion techniques, and finding new methods to exploit weaknesses in your network infrastructure, and ultimately your business. It is crucial retail companies ensure the network defense tools used in their security ecosystems are evolving as rapidly as the threats.
What CSOs of retail companies should take away from the recent headlines, is that POS memory scraper attacks are highly targeted…not every attack is the same. They should be investing in network security solutions that are continuously updating their policies to anticipate the evolution of these advanced threats. It is for this reason, over the past year and a half we have reversed engineered multiple variants of these types of malware and continuously updated Fidelis XPS’ policies to identify and alert on both the memory scrapers and associated tools used to attack POS systems. We do this through the “FSS_Crimeware” policy rules in the policy set delivered to Fidelis XPS sensors.
Retail companies should be equipped with technology capable of detecting these threats regardless of delivery method employed by the threat actors responsible. For example, Fidelis XPS can detect and alert on executable malware multiple layers deep inside of archive files (e.g. ZIP), or even XOR'ed inside of a weaponized MS Office document or Adobe PDF File.
As security threats continue to evolve and the stakes continue to rise, the network defense tools used to combat these threats need to keep pace - better yet - anticipate how these threats are changing.
Follow-Up #1 Fidelis Threat Advisory #1011
"Intruder File Report – Sneakernet Trojan"
Previous General Dynamics Fidelis Cybersecurity Services (Fidelis) reporting, ref: Fidelis Threat Advisory (FTA) #1011 dated 15 Jan 2014, introduced a malware system comprised of multiple files that provided a means for intruders to discover and retrieve data from disparate computer systems via removable storage devices. The malware system consists of at least two Portable Executable (PE) files, one acting as a headquarters component and one acting as field unit or agent component. The headquarters component infects drives connected to its host system with the field unit component and retrieves data from the field unit on the infected drive’s return to the headquarters host system. The field unit conducts reconnaissance and data collection in accordance with particular commands.
Continuing analysis solidified the headquarters component’s Command and Control (C2) scheme. The malware receives commands from a locally stored encrypted file.
This report describes select malware functionality with some granularity, provides extended detail regarding the headquarters component’s C2 functionality, provides additional means of defensive detection of this malware and describes some interesting aspects of the malware as a whole.
The Fidelis team updated Fidelis XPSTM advanced threat defense system with additional rules to reflect current analysis findings associated with this malware.