Threatstream Labs came across an interesting FrameworkPOS sample that given it is two months old, its digitally signed and its certificate hasn't been revoked. FrameworkPOS is a malware family that targets POS (Point of Sale) terminals and its main objective is to steal credit card data from them in order to be sold in the black market. This blogpost is divided in two sections. The first section aims to analyze the malware's capabilities e.g.: c2 connectivity, encoding mechanisms and overall system activity. The second section will provide an analysis on campaign information that was gathered throughout the research.
Section 1: FrameworkPOS capabilities
Signed digital certificate information
During the course of the research it was noticed that a particular sample 9547ce33d8d9df66b528fae27a4467304fbc7003fb29236635d899d374671dee was digitally signed with a good certificate. See figure 0 for details:
When the sample starts, it sends an HTTP request to a hardcoded C2 IP address 45[.]63[.]71[.]150 and this server responds with the victim's public IP address. This public IP is then used to track C2 requests sent via a DNS covert channel at a later stage of the infection. see below figure 1 for initial request:
Once the public IP is acquired, then the malware proceeds to the next phase which is the initial DNS channel based C2. The initial callout can be observed in figure 2 below:
There are 3 DNS queries observed in the picture above. however the most important one is the one that checks in initial compromised data with the c2. The DNS request for the C2 have the following format:
[bot-id].[campaign-id].[command].[encoded data].[encoded data].[encoded data].[hostname] 36e517f3.grp10.ping.adm.cdd2e9cde9fee9cdc8.cdd0e8e9c8fce9d2e9fecdc4.c597f097ce87c5d3.ns.a23-33-37-54-deploy-akamaitechnologies.com
The encoded data contained in the initial callout is: LAN_ip, public_ip, and hostname, see the decoded callout below:
During the analysis, several callout types were observed:
- ping: initial callout. In this dns request the malware sends the following information: LAN IP, public IP and hostname:
- tt1/tt2: these callouts exfiltrate track 1 and track 2 credit card data obtained from memory. It saves the data on a file with the following naming convention: [botid].dat. Here are some examples (note the credit card data is fake here and for educational purposes only).
decoded tt2: 09ad9ca2.grp10.tt2.4556571076485515.=4556571076485515.448580286057.ns.a23-33-37-54-deploy-akamaitechnologies.com
decoded tt1: 09ad9ca2.grp10.tt1.4936789994171949.^MelissaJordan^340332388..B67.67497093623419^YasirPollard^97.106268827.ns.a23-33-37-54-deploy-akamaitechnologies.com
- notice: this call out has to do with debugging checking. It seems it checks if malware is running inside a debugger
The malware has several modes of operation.
- Stop: This option stops the service the malware has created
- Start: It initializes the malware if its set as a service
- Install: install the malware and sets it to run as a service with automatic execution.
- Uninstall: remove the malware/service from the system.
- Service: set malware execution as a service without initiating it.
Once the malware gets running in the system, it creates two files, the first file is called
dspsvc.bid, in this file the malware stores the bot id. The bot id gets generated in the following piece of code below in figure 3:
After the first file is created a second file with the naming convention [bot-id].dat is created. This file serves as a storage place for the encoded data which is then sent to the c2 server as payload.
Memory Scrapping Mechanisms
This piece malware has RAM scraping capabilities in order to acquire the credit card data on behalf of the attacker. The way it looks for the credit card data is by querying each running process memory. The malware then looks for delimiters related with track 1 and track 2 data such as "=" or "^". once it locates the data in memory it sends the data to the encoding routine. see figure 4 below for section that looks for the "^" delimiter and figure 5 shows when the data is being passed to the encoding routine
Data Encoding Mechanisms
The data encoding mechanisms employed by this malware are very rudimentary but yet they seem to be very effective. FrameworkPOS is one of the many malware families that target POS (point of sale) the malware uses a combination of techniques to obfuscate the data. the following steps constitute the encoding process
- Malware grabs plaintext and loops through an initial hardcoded string that is 67 bytes in length in order to see if any of the chars are in that string
- if character is in that initial string then it grabs its index and searches for that character with that index on the second string which is also 67 bytes in length
- once found it xors the char with “AA”. It does this for all the characters in the plain text see below:
- It is important to note that this code is used in two different places. The first place is as its shown above which encodes track 1 and track 2 data. the other place the function is used to encode the initial dns
Section 2: Campaign Data Analysis
Given that this malware family employs DNS as a covert communication mechanism. We were able to leverage passive DNS data to learn more about its scope and some of the victims. The data gave us insight to the following:
- Campaign IDs
- Bot IDs
- track 1 and track 2 credit card data of victims
- public IPs, private IPs, and hostnames of compromised POS related devices
Malware sample metadata
The table below illustrates useful metadata about the malware samples analyzed during this research.
|MD5||Associated Campaign||Compile_date||First VT submission||Last VT submission|
|90372a5e387e42c63b37d88845abde0a||grp03||[Fri Jul 24 08:25:13 2015 UTC]||2015-11-28 02:17:58 UTC ( 2 months, 3 weeks ago )||2015-11-29 05:54:55 UTC ( 2 months, 2 weeks ago )|
|feac3bef63d95f2e3c0fd6769635c30b||grp10||[Fri Jul 24 08:25:50 2015 UTC]||2015-11-06 13:11:20 UTC ( 3 months, 1 week ago )||2015-11-20 20:18:18 UTC ( 2 months, 4 weeks ago )|
|591e820591e10500fe939d6bd50e6776||grp05||[Fri Jul 24 08:25:13 2015 UTC]||2016-01-16 09:20:34 UTC ( 1 month ago )||2016-01-16 09:20:34 UTC ( 1 month ago )|
Each sample has a unique campaignID embedded and this allows us to link passive DNS events with the sample that was likely used. Base on compilation times, it appears that the actors involved prepared all samples for their campaigns around the same time (within seconds of each other)
During the course of our research the following domain was observed to be related with the 3 campaigns analyzed a23-33-37-54-deploy-akamaitechnologies[.]com. This domain was specially crafted to look very similiar an Akamai host. Here is the associated whois record:
Creation Date: 2015-07-17T18:02:01Z Registrar Registration Expiration Date: 2018-07-17 Registrar: Registrar of domain names REG.RU LLC Registrant Name: Yashiro Takugasa Registrant Organization: Akamai Technologies, inc. Tech Email: yashiro1968@yandex[.]ru Name Server: ns1.reg[.]ru Name Server: ns2.reg[.]ru
Yashiro Takugasa is the registrant name provided by the actors. No other domains could be this entity or their provided registrant email address at this time
During the analysis of the data 3 different campaigns were observed. Ones more active than others but overall each one of the campaigns provided a unique insight into the malware's c2 communications. the table below illustrates the insights gathered for the different campaigns.
|Campaign ID||Track 1 Data Total||Track 2 Data Total||Campaign Started||Campaign Ended||Total Bot IDs||Total of Victim IPs||Terminal Names Associated|
|grp10||13||12||2015-11-21||2016-02-10||8||62||WVINNMICROS, QVWf, DPSSERVER, ViIGn, 0usxSi, BYGard|
The analysis of the campaign data revealed that the most active campaign in terms of track 1 and track 2 data exfil was campaign grp05 also it revealed to be the second longest starting in august of 2015 and ending in feb of 2016. On the other hand campaign grp10 being the second active revealed less track 1 and track 2 data exfil. However this campaign had the most infected hosts. It's running timeframe was 2.5 months which is very short compared to campaign grp05. Campaign grp03 for instance had 0 exfil records and its running time was 2 months. The curious aspect of this campaign was the amount of infected IP's which is almost 60.
Victim IP analysis
The total unique IP's related with the infection were 67 distributed between the United States and Russia see below figure 6 for geographical distribution:
A great number of hosts are related with the hosting companies dedicated to provide services of VPS, colocation and managed server services. The rest of the IP addresses were related to business circuits through AT&T and Cox Communications possibly related with SMB's.
Combined Timeline of Events
The timeline below constitutes the activity related with domain and malware sample creation dates:
The second timeline below corresponds to the relationship between POS terminal compromised with each campaign id.
Searching historical whois data revealed several domains that had a similar naming convention as the one analyzed during this research, however no suspicious information was found. The domains are as follow:
FrameworkPOS is a POS (Point of Sale) malware family that is very particular. It's modus operandi and capabilities, although primitive in nature, seem to be very effective. It use of DNS as a covert channel allowed us to discover details about three campaigns and several victims that may have been difficult to determine otherwise. This research is ongoing and will provide details as they emerge.