Payment processing devices continue to be prime targets for threat actors to compromise payment card data. Often, this can be because POS terminals are located in public areas, such as restaurants and bars, and can be accessed and infected via wireless networks or physical means, such as USB drives inserted into POS terminals. An ongoing POS malware variant has been found in a number of retail organizations, and this research provides some insight into IOCs that have been found in environments that have been infected.
Summary
The POS malware FindPOS, also known as POSeidon, is still present in the wild with researchers still observing new developments. The threat is deployed against dining, hospitality, and kiosk vendors. Tactics, Techniques, and Procedures of threat actors using this malware—attempting to steal both keystrokes and credit card numbers stored in system memory by scanning RAM for credit cards and then encrypting and exfiltrating data to predefined Russian servers— have remained consistent since the malware was first profiled in 2015.
The usual array of security measures applied to POS infrastructure should provide reasonable protection against POSeidon, yet the actors continue operations, which likely means they’re nevertheless finding soft targets. Data within RiskIQ PassiveTotal was used to uncover other suspicious elements that appear to be related to the threat, including a list of malware hashes associated with one particular domain that ultimately revealed a hotbed of FindPOS activity.
Details
POSeidon appears to have evolved from the Backoff POS malware family. It comes in two stages: a loader function and memory scraper with data exfiltration capabilities. A new sample of the FindPOS/POSeidon/Backoff POS malware (MD5: f5d38b1a0b754e8557a4ca9ae7679b79) was uploaded to VirusTotal on 2-26-2018. This malware also implements a keylogger and also steals card data from POS memory.
The malware appears to have been compiled on January 22, 2018, which suggests approximately a month of activity in the wild before discovery. Based on sandboxed traffic analysis, this is version 13.91L of the malware.
The malware initiates HTTP POSTs to the Command & Control point server http://tahedtfitert[.]com/iqleb/viewtopic.php (185.164.34[.]17) with the User-Agent value “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)”. When sandboxed, the malware made four additional attempts to resolve domains that did not resolve. These were:
lingharsandsit[.]com
otnoleftthat[.]ru
ferenrofhers[.]ru
johnbabterre[.]ru
Another instance of the FindPOS malware (MD5: 2de7d7cbee7806364864e756af7efa4f) used the same tahedtfitert[.]com domain between November and late December of 2017.
The IP address 185.164.34[.]17 was also used by another malware sample (MD5: 482bb92eaf158ac956d44ee426232f5d) uploaded to VirusTotal from Ukraine on 1-17-2018 and detected by several anti-malware vendors as the Kuluoz spambot or an associated loader. The domain used by this malware was fastandstrongwolf[.]com (which previously resolved to Russian IP address 91.195.102[.]17 between 2-6-2017 and 12-28-2017 and is associated with at least 37 additional malware hashes).
Additional samples using the same domain recently detected as of 3-1-2018 include MD5: 294e42ce05b5ad2b2ba81ea63f20d469. Other domains used by the same IP address include dornegromant[.]com and moskalbezsala[.]ru. A Larger cluster of activity can be found by pivoting on various elements from these domains and malware samples as needed.
The actors behind FindPOS continue to use some of the TTPs that have been documented by various security researchers to include the following:
https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/ (2015)
https://blogs.cisco.com/security/talos/poseidon (2015)
https://blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/ (2015)
https://www.trustwave.com/Resources/SpiderLabs-Blog/PoSeidon-Completionist/ (2016)
https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/poseidon (2016)
https://vallejo.cc/2017/07/12/analysis-of-poseidon-downloader-and-keylogger/ (2017)
http://archive.is/1NOhG (2017)
Detection
Many anti-malware vendors detect the malware; however, packing may complicate detection. The anti-malware company DrWeb detects many samples from 2017 campaigns as Trojan.FindStr. The Emerging Threats signature “ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC),” or modern equivalent may be useful for detection purposes.
Previously observed malware-centric TTPs/IOC elements that are still present include the following:
- User-Agent value (documented above) has remained consistent
- The use of viewtopic.php for C2/exfiltration purposes
- The use of filenames WinSrv.exe
- The deletion of the original sample with a cmd shell command “/c del <filename> >> NUL”
- Data exfiltration pattern remains consistent
TTPs not previously documented (observed inside at least one recent sample) include:
- The use of the MPRESS packer (designated by the presence of .MPRESS1 and .MPRESS2 inside the binary)
- Consistent use of a file description “Advanced SystemCare ReProcess”
Indicators of Compromise and suspicious elements
C2 or Data Exfiltration Servers:
37.230.228[.]41
91.195.102[.]17
91.199.149[.]110
176.9.167[.]53
185.164.34[.]17
185.164.34[.]21
185.17.120[.]175
fastandstrongwolf[.]com
thetriningtan[.]com
nathatrabdint[.]com
Suspicious domain registration email
catagmarc616[@]gmail.com
Malware download sites
http://162.219.29[.]86/guparl.exe
http://garthalla[.]net/teletecupdate.exe
http://206.54.191[.]17/kabiql.exe
http://funtrail[.]com/teletecupdate.exe
File description
Advanced SystemCare ReProcess
Malware hashes
f5d38b1a0b754e8557a4ca9ae7679b79
2de7d7cbee7806364864e756af7efa4f
482bb92eaf158ac956d44ee426232f5d
294e42ce05b5ad2b2ba81ea63f20d469
019bd0094213ab70c72c65c7a90215f7
46736c218dffd46ac07171315cc956a5
d8de5785e9388abb3161484964cfe2bc
c392972abfe187e47bf22d70b7d5ff3a
db345966bd0ae3dfbad899bc5a955b62
0c9dbe456591b8b047058486e179a641
31103996926d5f2f7607f528c1db8dbb
e9717e56f3e59eb2bbf7c6f82b786257
dbfb398cbec3b00be62d80003b66e6bb
50fd395d9ee943796ad85043b5ab7f41
d3a967107316a16a4b9e019613f6bd53
32bcf4961a27f8d7dbc0dadbf9e8c7cb
c1a0582dc71d77ffef8ebe9ff61c3c52
2ccb652dcc7e9f7a034537c6b3496084
40900f4955ae8f354d0021e534be92f9
b91479cfbed23097935c8d6fdf9c1e2e
915d25acba2f981ae1d0672cde0d9b7e
ffcc71faaf174d19c6a7da1353c3275a
5136de3a069166211fa193dd81ace0a5
6fd3b8a06d4bbfaee5fc4cbc82811a31
3885c4a8511e394d0e92ac2242e1b18f
3a7e18932b4321e79fbac15a48c8ff9d
985fb486b65aa188bb6fa95bac50a4ac
All above hashes associated with IP address 91.195.102.17 and resprents activity from Mid – late 2017. This IP address is owned by FastVPS in Prague. Their IP address range is 91.195.102.0/24 and also AS43661.
Possibly related elements found on the same infrastructure
26f273e8e6d4d459415929ad59601ac9 Japanese elements (.NET, may not be FindPOS)
7ae2cdc5aa554dba1a8fe230b5b0823f
Other domains registered with catagmarc616@gmail.com
downorlyref.com
muchmauldun.com
lyhertenhis.com
wilronwarat.com
nyhersninghis.com
withuldsinspar.com
fastandsmartbob.com
lobuthatwith.com
hidownsitbo.com
fornotthehow.com
golfteec.com
lotofthersret.com
himbabresbo.com
toldpardowntan.com
1tradeline.com
toldhapsinspar.com
authorizenet24.com
palittnagu.com
myhertranrin.com
netojusbowit.com
gowronnogot.com
babbowitwas.com
titnotulddown.com
rideerwash.com
sinsathatoft.com
hinotlefthers.com
thejustonetoft.com
usedintgould.com
hisgotinla.com
hersthenjustoft.com
aningthenred.com
hadrylego.com
withtylebet.com
nataranrep.com
nalerowhe.com
keinketone.com
renevengsoet.com
herlingrobdo.com
fastandstrongwolf.com
bignewtankforme.com
hitorsletna.com
suhanbutar.com
herstihenone.com
pdccbiz.com
hancetotsa.com
rinmisupher.com
taronwifi.com
hatannaso.com
repterkinmo.com
feenloning.com
dintlachertsu.com
iphone-block.com
hedttalhemut.com
derby-ltd.com
hedthowtorspar.com
jecdinthimlac.com
hadhesusela.com
oneperronter.com
cysupkintold.com
refkeromning.com
lotihecter.com
usethengaher.com
vertoldrighbi.com
icfthai.com
WHOIS data on unresolved domain lingharsandsit.com
Butenin.Stanislava.1988@gmail.com
Domains registered to this email address
myhecksitot[.]com
teathowhep[.]com
wilhedseddin[.]com
littarhapone[.]com
unhesrowrab[.]com
googm[.]org
macapi[.]net
linuxapi[.]net
winnapi[.]com
disithedtse[.]com
hertritbowi[.]com
gebetuseco[.]com
lingharsandsit[.]com
tahedtfitert[.]com
arrepsinrab[.]com
andrejoter[.]com
gedidnundno[.]com
tkazan[.]com
hiros9guild[.]biz
tontrittitof[.]com
otlacharny[.]com
butenrestold[.]com
cilysitma[.]com
derby-au[.]net
torsharucal[.]com
utunsitta[.]com
hentonsinsit[.]com
doteraningge[.]com
undditotal[.]com
kznext[.]com
schilderijenexpoint[.]com
kazantele[.]com
dreamhost4u[.]net
kzgmail[.]com
tanhindinttoft[.]com
fortroledin[.]com
inspartorswa[.]com
dintretrewor[.]com
amz-n[.]net
amz-n[.]org
undsadaso[.]com
calsandhefe[.]com
nogeningthet[.]com
hegheconekin[.]com
roprewonewit[.]com
heccosedrigh[.]com
fast-deliveryservice[.]com
aningtorsfave[.]com
sedhahenthet[.]com
wassremarew[.]com
coin-trade24[.]com
enhinningwith[.]com
toftrowsene[.]com
parhecotevent[.]com
tinrewrebtert[.]com
pathathifi[.]com
sihersronligh[.]com
daheridhar[.]com
warentanling[.]com
leftdomibut[.]com
tottonshowrec[.]com
hectofhad[.]com
terningsand[.]com
roledsup[.]com
waswadint[.]com
onetedidn[.]com
jodidnhowtont[.]com
dintromparsup[.]com
redwassheptal[.]com
hattertatrof[.]com
jushenfoti[.]com
About PassiveTotal
PassiveTotal's ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.