Three Month FrameworkPOS Malware Campaign Nabs ~43,000 Credit Cards from Point of Sale Systems | Anomali

Three Month FrameworkPOS Malware Campaign Nabs ~43,000 Credit Cards from Point of Sale Systems

Threatstream Labs came across an interesting FrameworkPOS sample that given it is two months old, its digitally signed and its certificate hasn't been revoked. FrameworkPOS is a malware family that targets POS (Point of Sale) terminals and its main objective is to steal credit card data from them in order to be sold in the black market. This blogpost is divided in two sections. The first section aims to analyze the malware's capabilities e.g.: c2 connectivity, encoding mechanisms and overall system activity. The second section will provide an analysis on campaign information that was gathered throughout the research.

Section 1: FrameworkPOS capabilities

Signed digital certificate information

During the course of the research it was noticed that a particular sample 9547ce33d8d9df66b528fae27a4467304fbc7003fb29236635d899d374671dee was digitally signed with a good certificate. See figure 0 for details:
Figure 0

Network Communication

When the sample starts, it sends an HTTP request to a hardcoded C2 IP address 45[.]63[.]71[.]150 and this server responds with the victim's public IP address. This public IP is then used to track C2 requests sent via a DNS covert channel at a later stage of the infection. see below figure 1 for initial request:

Figure 1

Once the public IP is acquired, then the malware proceeds to the next phase which is the initial DNS channel based C2. The initial callout can be observed in figure 2 below:

Figure 2

There are 3 DNS queries observed in the picture above. however the most important one is the one that checks in initial compromised data with the c2. The DNS request for the C2 have the following format:

[bot-id].[campaign-id].[command].[encoded data].[encoded data].[encoded data].[hostname]
 36e517f3.grp10.ping.adm.cdd2e9cde9fee9cdc8.cdd0e8e9c8fce9d2e9fecdc4.c597f097ce87c5d3.ns.a23-33-37-54-deploy-akamaitechnologies.com

The encoded data contained in the initial callout is: LAN_ip, public_ip, and hostname, see the decoded callout below:

36e517f3.grp10.ping.adm.10.1.2.15.169.57.0.213.PETERPC.ns.a23-33-37-54-deploy-akamaitechnologies.com

During the analysis, several callout types were observed:

  • ping: initial callout. In this dns request the malware sends the following information: LAN IP, public IP and hostname:
  36e517f3.grp10.ping.adm.cdd2e9cde9fee9cdc8.cdd0e8e9c8fce9d2e9fecdc4.c597f097ce87c5d3.ns.a23-33-37-54-deploy-akamaitechnologies.com

  decoded: 36e517f3.grp10.ping.adm.10.1.2.15.169.57.0.213.PETERPC.ns.a23-33-37-54-deploy-akamaitechnologies.com
  • tt1/tt2: these callouts exfiltrate track 1 and track 2 credit card data obtained from memory. It saves the data on a file with the following naming convention: [botid].dat.  Here are some examples (note the credit card data is fake here and for educational purposes only).
  09ad9ca2.grp10.tt2.dcc8c8d0c8fccdd2fcd0dcdec8c8cdc8.e6dcc8c8d0c8fccdd2fcd0dcdec8c8cdc8e9dcdcdec8ded2feded0d2c8fc.ns.a23-33-37-54-deploy-akamaitechnologies.com

  decoded tt2: 09ad9ca2.grp10.tt2.4556571076485515.=4556571076485515.448580286057.ns.a23-33-37-54-deploy-akamaitechnologies.com

  09ad9ca2.grp10.tt1.dcd2fed0d2fefecdc8d2c4c8c8fecdde.e3e29f9a9ff9cbc79fdae3fcc4d2c8c4cdd0feded295e9e9e9e9e9e9feea.e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9.e9e9e9e9e9e9e9e9e9e9.ns.a23-33-37-54-deploy-akamaitechnologies.com

  decoded tt1: 09ad9ca2.grp10.tt1.4936789994171949.^MelissaJordan^340332388..B67.67497093623419^YasirPollard^97.106268827.ns.a23-33-37-54-deploy-akamaitechnologies.com

  • notice: this call out has to do with debugging checking. It seems it checks if malware is running inside a debugger
  36e517f3.grp10.notice.c1cbcbdac7c0c2e9f9ccf9.ns.a23-33-37-54-deploy-akamaitechnologies.com
  decoded: 36e517f3.grp10.notice.ollydbg.exe.ns.a23-33-37-54-deploy-akamaitechnologies.com

System Activity

The malware has several modes of operation.

  • Stop: This option stops the service the malware has created
  • Start: It initializes the malware if its set as a service
  • Install: install the malware and sets it to run as a service with automatic execution.
  • Uninstall: remove the malware/service from the system.
  • Service: set malware execution as a service without initiating it.

Once the malware gets running in the system, it creates two files, the first file is called dspsvc.bid, in this file the malware stores the bot id. The bot id gets generated in the following piece of code below in figure 3:

Figure 3

After the first file is created a second file with the naming convention [bot-id].dat is created. This file serves as a storage place for the encoded data which is then sent to the c2 server as payload.

Memory Scrapping Mechanisms

This piece malware has RAM scraping capabilities in order to acquire the credit card data on behalf of the attacker. The way it looks for the credit card data is by querying each running process memory. The malware then looks for delimiters related with track 1 and track 2 data such as "=" or "^". once it locates the data in memory it sends the data to the encoding routine. see figure 4 below for section that looks for the "^" delimiter and figure 5 shows when the data is being passed to the encoding routine

Figure 4

Figure 5

Data Encoding Mechanisms

The data encoding mechanisms employed by this malware are very rudimentary but yet they seem to be very effective. FrameworkPOS is one of the many malware families that target POS (point of sale) the malware uses a combination of techniques to obfuscate the data. the following steps constitute the encoding process

  • Malware grabs plaintext and loops through an initial hardcoded string that is 67 bytes in length in order to see if any of the chars are in that string
  • if character is in that initial string then it grabs its index and searches for that character with that index on the second string which is also 67 bytes in length
  • once found it xors the char with “AA”. It does this for all the characters in the plain text see below:
  • It is important to note that this code is used in two different places. The first place is as its shown above which encodes track 1 and track 2 data. the other place the function is used to encode the initial dns ping callout

Section 2: Campaign Data Analysis

Given that this malware family employs DNS as a covert communication mechanism. We were able to leverage passive DNS data to learn more about its scope and some of the victims. The data gave us insight to the following:

  • Campaign IDs
  • Bot IDs
  • track 1 and track 2 credit card data of victims
  • public IPs, private IPs, and hostnames of compromised POS related devices

Malware sample metadata

The table below illustrates useful metadata about the malware samples analyzed during this research.

MD5Associated CampaignCompile_dateFirst VT submissionLast VT submission
90372a5e387e42c63b37d88845abde0agrp03[Fri Jul 24 08:25:13 2015 UTC]2015-11-28 02:17:58 UTC ( 2 months, 3 weeks ago )2015-11-29 05:54:55 UTC ( 2 months, 2 weeks ago )
feac3bef63d95f2e3c0fd6769635c30bgrp10[Fri Jul 24 08:25:50 2015 UTC]2015-11-06 13:11:20 UTC ( 3 months, 1 week ago )2015-11-20 20:18:18 UTC ( 2 months, 4 weeks ago )
591e820591e10500fe939d6bd50e6776grp05[Fri Jul 24 08:25:13 2015 UTC]2016-01-16 09:20:34 UTC ( 1 month ago )2016-01-16 09:20:34 UTC ( 1 month ago )

Each sample has a unique campaignID embedded and this allows us to link passive DNS events with the sample that was likely used. Base on compilation times, it appears that the actors involved prepared all samples for their campaigns around the same time (within seconds of each other)

C2 Metadata

During the course of our research the following domain was observed to be related with the 3 campaigns analyzed a23-33-37-54-deploy-akamaitechnologies[.]com. This domain was specially crafted to look very similiar an Akamai host. Here is the associated whois record:

Creation Date: 2015-07-17T18:02:01Z
Registrar Registration Expiration Date: 2018-07-17
Registrar: Registrar of domain names REG.RU LLC
Registrant Name: Yashiro Takugasa
Registrant Organization: Akamai Technologies, inc.
Tech Email: yashiro1968@yandex[.]ru
Name Server: ns1.reg[.]ru
Name Server: ns2.reg[.]ru

Yashiro Takugasa is the registrant name provided by the actors. No other domains could be this entity or their provided registrant email address at this time

Campaign Information

During the analysis of the data 3 different campaigns were observed. Ones more active than others but overall each one of the campaigns provided a unique insight into the malware's c2 communications. the table below illustrates the insights gathered for the different campaigns.

Campaign IDTrack 1 Data TotalTrack 2 Data TotalCampaign StartedCampaign EndedTotal Bot IDsTotal of Victim IPsTerminal Names Associated
grp03002015-10-052015-12-09560kLnd2t5, ViIGn
grp0522,20221,5252015-08-092016-02-0744ALOHABOH,ALOHABOH2
grp1013122015-11-212016-02-10862WVINNMICROS, QVWf, DPSSERVER, ViIGn, 0usxSi, BYGard

The analysis of the campaign data revealed that the most active campaign in terms of track 1 and track 2 data exfil was campaign grp05 also it revealed to be the second longest starting in august of 2015 and ending in feb of 2016. On the other hand campaign grp10 being the second active revealed less track 1 and track 2 data exfil. However this campaign had the most infected hosts. It's running timeframe was 2.5 months which is very short compared to campaign grp05. Campaign grp03 for instance had 0 exfil records and its running time was 2 months. The curious aspect of this campaign was the amount of infected IP's which is almost 60.

Victim IP analysis

The total unique IP's related with the infection were 67 distributed between the United States and Russia see below figure 6 for geographical distribution:

Figure 6

A great number of hosts are related with the hosting companies dedicated to provide services of VPS, colocation and managed server services. The rest of the IP addresses were related to business circuits through AT&T and Cox Communications possibly related with SMB's.

Combined Timeline of Events

The timeline below constitutes the activity related with domain and malware sample creation dates:

The second timeline below corresponds to the relationship between POS terminal compromised with each campaign id.

Additional Information

Searching historical whois data revealed several domains that had a similar naming convention as the one analyzed during this research, however no suspicious information was found. The domains are as follow:

  • a203-111-15-229-deploy-akamaitechnologies[.]com
  • a23-60-69-126-deploy-akamaitechnologies[.]com
  • a193-45-3-47-deploy-akamaitechnologies[.]com

Conclusion

FrameworkPOS is a POS (Point of Sale) malware family that is very particular. It's modus operandi and capabilities, although primitive in nature, seem to be very effective. It use of DNS as a covert channel allowed us to discover details about three campaigns and several victims that may have been difficult to determine otherwise. This research is ongoing and will provide details as they emerge.

Subscribe to the Anomali Newsletter

Get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now