February 18, 2016
Luis Mendieta

Three Month FrameworkPOS Malware Campaign Nabs ~43,000 Credit Cards from Point of Sale Systems

<p>Threatstream Labs came across an interesting FrameworkPOS sample that given it is two months old, its digitally signed and its certificate hasn't been revoked. FrameworkPOS is a malware family that targets POS (Point of Sale) terminals and its main objective is to steal credit card data from them in order to be sold in the black market. This blogpost is divided in two sections. The first section aims to analyze the malware's capabilities e.g.: c2 connectivity, encoding mechanisms and overall system activity. The second section will provide an analysis on campaign information that was gathered throughout the research.</p><h2>Section 1: FrameworkPOS capabilities</h2><h4>Signed digital certificate information</h4><p>During the course of the research it was noticed that a particular sample <b>9547ce33d8d9df66b528fae27a4467304fbc7003fb29236635d899d374671dee</b> was digitally signed with a good certificate. See figure 0 for details:<br/> <span class="label label-default">Figure 0</span><br/> <img src="https://cdn.filestackcontent.com/Bh5PckUjQW2qhGWklCm6"/></p><h4>Network Communication</h4><p>When the sample starts, it sends an HTTP request to a hardcoded C2 IP address <b>45[.]63[.]71[.]150</b> and this server responds with the victim's public IP address. This public IP is then used to track C2 requests sent via a DNS covert channel at a later stage of the infection. see below figure 1 for initial request:</p><p><span class="label label-default">Figure 1</span><br/> <img src="https://cdn.filestackcontent.com/vStqAoL7TUGcelm9Rvhd"/></p><p>Once the public IP is acquired, then the malware proceeds to the next phase which is the initial DNS channel based C2. The initial callout can be observed in figure 2 below:</p><p><span class="label label-default">Figure 2</span><br/> <img src="https://cdn.filestackcontent.com/R5Yfj9t4QkyqwR8JI0hK"/></p><p>There are 3 DNS queries observed in the picture above. however the most important one is the one that checks in initial compromised data with the c2. The DNS request for the C2 have the following format:</p><pre> [bot-id].[campaign-id].[command].[encoded data].[encoded data].[encoded data].[hostname] 36e517f3.grp10.ping.adm.cdd2e9cde9fee9cdc8.cdd0e8e9c8fce9d2e9fecdc4.c597f097ce87c5d3.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><p>The encoded data contained in the initial callout is: LAN_ip, public_ip, and hostname, see the decoded callout below:</p><pre> 36e517f3.grp10.ping.adm. </pre><p>During the analysis, several callout types were observed:</p><ul><li><b>ping</b>: initial callout. In this dns request the malware sends the following information: LAN IP, public IP and hostname:</li></ul><pre> 36e517f3.grp10.ping.adm.cdd2e9cde9fee9cdc8.cdd0e8e9c8fce9d2e9fecdc4.c597f097ce87c5d3.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><pre> decoded: 36e517f3.grp10.ping.adm. </pre><ul><li><b>tt1/tt2</b>: these callouts exfiltrate track 1 and track 2 credit card data obtained from memory. It saves the data on a file with the following naming convention: [botid].dat.  Here are some examples (note the credit card data is fake here and for educational purposes only).</li></ul><pre> 09ad9ca2.grp10.tt2.dcc8c8d0c8fccdd2fcd0dcdec8c8cdc8.e6dcc8c8d0c8fccdd2fcd0dcdec8c8cdc8e9dcdcdec8ded2feded0d2c8fc.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><pre> decoded tt2: 09ad9ca2.grp10.tt2.4556571076485515.=4556571076485515.448580286057.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><pre> 09ad9ca2.grp10.tt1.dcd2fed0d2fefecdc8d2c4c8c8fecdde.e3e29f9a9ff9cbc79fdae3fcc4d2c8c4cdd0feded295e9e9e9e9e9e9feea.e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9e9.e9e9e9e9e9e9e9e9e9e9.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><pre> decoded tt1: 09ad9ca2.grp10.tt1.4936789994171949.^MelissaJordan^340332388..B67.67497093623419^YasirPollard^97.106268827.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><ul><li><b>notice</b>: this call out has to do with debugging checking. It seems it checks if malware is running inside a debugger</li></ul><pre> 36e517f3.grp10.notice.c1cbcbdac7c0c2e9f9ccf9.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><pre> decoded: 36e517f3.grp10.notice.ollydbg.exe.ns.a23-33-37-54-deploy-akamaitechnologies.com </pre><h4>System Activity</h4><p>The malware has several modes of operation.</p><ul><li>Stop: This option stops the service the malware has created</li><li>Start: It initializes the malware if its set as a service</li><li>Install: install the malware and sets it to run as a service with automatic execution.</li><li>Uninstall: remove the malware/service from the system.</li><li>Service: set malware execution as a service without initiating it.</li></ul><p>Once the malware gets running in the system, it creates two files, the first file is called <code>dspsvc.bid</code>, in this file the malware stores the bot id. The bot id gets generated in the following piece of code below in figure 3:</p><p><span class="label label-default">Figure 3</span><br/> <img src="https://cdn.filestackcontent.com/yDeEWOCQomzlj0iUiMN5"/></p><p>After the first file is created a second file with the naming convention [bot-id].dat is created. This file serves as a storage place for the encoded data which is then sent to the c2 server as payload.</p><h4>Memory Scrapping Mechanisms</h4><p>This piece malware has RAM scraping capabilities in order to acquire the credit card data on behalf of the attacker. The way it looks for the credit card data is by querying each running process memory. The malware then looks for delimiters related with track 1 and track 2 data such as "=" or "^". once it locates the data in memory it sends the data to the encoding routine. see figure 4 below for section that looks for the "^" delimiter and figure 5 shows when the data is being passed to the encoding routine</p><p><span class="label label-default">Figure 4</span><br/> <img src="https://cdn.filestackcontent.com/xQYPFsQyQduNXhjeT8eC"/></p><p><span class="label label-default">Figure 5</span><br/> <img src="https://cdn.filestackcontent.com/eAcolRIMSheHQz2C67op"/></p><h4>Data Encoding Mechanisms</h4><p>The data encoding mechanisms employed by this malware are very rudimentary but yet they seem to be very effective. FrameworkPOS is one of the many malware families that target POS (point of sale) the malware uses a combination of techniques to obfuscate the data. the following steps constitute the encoding process</p><ul><li>Malware grabs plaintext and loops through an initial hardcoded string that is 67 bytes in length in order to see if any of the chars are in that string</li><li>if character is in that initial string then it grabs its index and searches for that character with that index on the second string which is also 67 bytes in length<br/> <img src="https://cdn.filestackcontent.com/9p88kkkQwKfB6ZNAVEsm"/></li><li>once found it xors the char with “AA”. It does this for all the characters in the plain text see below:<br/> <img src="https://cdn.filestackcontent.com/3033U9JuTveGk5BVQgrn"/></li><li>It is important to note that this code is used in two different places. The first place is as its shown above which encodes track 1 and track 2 data. the other place the function is used to encode the initial dns <code>ping</code> callout</li></ul><h2>Section 2: Campaign Data Analysis</h2><p>Given that this malware family employs DNS as a covert communication mechanism. We were able to leverage passive DNS data to learn more about its scope and some of the victims. The data gave us insight to the following:</p><ul><li>Campaign IDs</li><li>Bot IDs</li><li>track 1 and track 2 credit card data of victims</li><li>public IPs, private IPs, and hostnames of compromised POS related devices</li></ul><h4>Malware sample metadata</h4><p>The table below illustrates useful metadata about the malware samples analyzed during this research.</p><table class="table table-striped"><thead><tr><th>MD5</th><th>Associated Campaign</th><th>Compile_date</th><th>First VT submission</th><th>Last VT submission</th></tr></thead><tbody><tr><td>90372a5e387e42c63b37d88845abde0a</td><td>grp03</td><td>[Fri Jul 24 08:25:13 2015 UTC]</td><td>2015-11-28 02:17:58 UTC ( 2 months, 3 weeks ago )</td><td>2015-11-29 05:54:55 UTC ( 2 months, 2 weeks ago )</td></tr><tr><td>feac3bef63d95f2e3c0fd6769635c30b</td><td>grp10</td><td>[Fri Jul 24 08:25:50 2015 UTC]</td><td>2015-11-06 13:11:20 UTC ( 3 months, 1 week ago )</td><td>2015-11-20 20:18:18 UTC ( 2 months, 4 weeks ago )</td></tr><tr><td>591e820591e10500fe939d6bd50e6776</td><td>grp05</td><td>[Fri Jul 24 08:25:13 2015 UTC]</td><td>2016-01-16 09:20:34 UTC ( 1 month ago )</td><td>2016-01-16 09:20:34 UTC ( 1 month ago )</td></tr></tbody></table><p>Each sample has a unique campaignID embedded and this allows us to link passive DNS events with the sample that was likely used. Base on compilation times, it appears that the actors involved prepared all samples for their campaigns around the same time (within seconds of each other)</p><h4>C2 Metadata</h4><p>During the course of our research the following domain was observed to be related with the 3 campaigns analyzed <b>a23-33-37-54-deploy-akamaitechnologies[.]com</b>. This domain was specially crafted to look very similiar an Akamai host. Here is the associated whois record:</p><pre> Creation Date: 2015-07-17T18:02:01Z Registrar Registration Expiration Date: 2018-07-17 Registrar: Registrar of domain names REG.RU LLC Registrant Name: Yashiro Takugasa Registrant Organization: Akamai Technologies, inc. Tech Email: yashiro1968@yandex[.]ru Name Server: ns1.reg[.]ru Name Server: ns2.reg[.]ru </pre><p>Yashiro Takugasa is the registrant name provided by the actors. No other domains could be this entity or their provided registrant email address at this time</p><h4>Campaign Information</h4><p>During the analysis of the data 3 different campaigns were observed. Ones more active than others but overall each one of the campaigns provided a unique insight into the malware's c2 communications. the table below illustrates the insights gathered for the different campaigns.</p><table class="table table-striped"><thead><tr><th class="tg-e3zv">Campaign ID</th><th class="tg-e3zv">Track 1 Data Total</th><th class="tg-9hbo">Track 2 Data Total</th><th class="tg-9hbo">Campaign Started</th><th class="tg-9hbo">Campaign Ended</th><th class="tg-9hbo">Total Bot IDs</th><th class="tg-yw4l">Total of Victim IPs</th><th class="tg-yw4l">Terminal Names Associated</th></tr></thead><tbody><tr><td class="tg-031e">grp03</td><td class="tg-031e">0</td><td class="tg-yw4l">0</td><td class="tg-yw4l">2015-10-05</td><td class="tg-yw4l">2015-12-09</td><td class="tg-yw4l">5</td><td class="tg-yw4l">60</td><td class="tg-yw4l">kLnd2t5, ViIGn</td></tr><tr><td class="tg-031e">grp05</td><td class="tg-031e">22,202</td><td class="tg-yw4l">21,525</td><td class="tg-yw4l">2015-08-09</td><td class="tg-yw4l">2016-02-07</td><td class="tg-yw4l">4</td><td class="tg-yw4l">4</td><td class="tg-yw4l">ALOHABOH,ALOHABOH2</td></tr><tr><td class="tg-yw4l">grp10</td><td class="tg-yw4l">13</td><td class="tg-yw4l">12</td><td class="tg-yw4l">2015-11-21</td><td class="tg-yw4l">2016-02-10</td><td class="tg-yw4l">8</td><td class="tg-yw4l">62</td><td class="tg-yw4l">WVINNMICROS, QVWf, DPSSERVER, ViIGn, 0usxSi, BYGard</td></tr></tbody></table><p>The analysis of the campaign data revealed that the most active campaign in terms of track 1 and track 2 data exfil was campaign <b>grp05</b> also it revealed to be the second longest starting in august of 2015 and ending in feb of 2016. On the other hand campaign <b>grp10</b> being the second active revealed less track 1 and track 2 data exfil. However this campaign had the most infected hosts. It's running timeframe was 2.5 months which is very short compared to campaign <b>grp05</b>. Campaign <b>grp03</b> for instance had 0 exfil records and its running time was 2 months. The curious aspect of this campaign was the amount of infected IP's which is almost 60.</p><h4>Victim IP analysis</h4><p>The total unique IP's related with the infection were 67 distributed between the United States and Russia see below figure 6 for geographical distribution:</p><p><span class="label label-default">Figure 6</span><br/> <img src="https://cdn.filestackcontent.com/S7x2FKKoTVWyYqm7VVky"/></p><p>A great number of hosts are related with the hosting companies dedicated to provide services of VPS, colocation and managed server services. The rest of the IP addresses were related to business circuits through AT&amp;T and Cox Communications possibly related with SMB's.</p><h4>Combined Timeline of Events</h4><p>The timeline below constitutes the activity related with domain and malware sample creation dates: <img src="https://cdn.filestackcontent.com/DoPdpWcSQvyAIVlbP5Nw"/></p><p>The second timeline below corresponds to the relationship between POS terminal compromised with each campaign id.</p><p><img src="https://cdn.filestackcontent.com/QEcHWaXWSiakusecpsTI"/></p><h4>Additional Information</h4><p>Searching historical whois data revealed several domains that had a similar naming convention as the one analyzed during this research, however no suspicious information was found. The domains are as follow:</p><ul><li>a203-111-15-229-deploy-akamaitechnologies[.]com</li><li>a23-60-69-126-deploy-akamaitechnologies[.]com</li><li>a193-45-3-47-deploy-akamaitechnologies[.]com</li></ul><h4>Conclusion</h4><p>FrameworkPOS is a POS (Point of Sale) malware family that is very particular. It's modus operandi and capabilities, although primitive in nature, seem to be very effective. It use of DNS as a covert channel allowed us to discover details about three campaigns and several victims that may have been difficult to determine otherwise. This research is ongoing and will provide details as they emerge.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.