Breaking Down FindPOS Malware Activity with RiskIQ PassiveTotal

Labs

Breaking Down FindPOS/POSeidon Malware Activity with RiskIQ PassiveTotal

April 17, 2018

By Curt Wilson, Guest Blogger

Payment processing devices continue to be prime targets for threat actors to compromise payment card data. Often, this can be because POS terminals are located in public areas, such as restaurants and bars, and can be accessed and infected via wireless networks or physical means, such as USB drives inserted into POS terminals. An ongoing POS malware variant has been found in a number of retail organizations, and this research provides some insight into IOCs that have been found in environments that have been infected.

Summary

The POS malware FindPOS, also known as POSeidon, is still present in the wild with researchers still observing new developments. The threat is deployed against dining, hospitality, and kiosk vendors. Tactics, Techniques, and Procedures of threat actors using this malware—attempting to steal both keystrokes and credit card numbers stored in system memory by scanning RAM for credit cards and then encrypting and exfiltrating data to predefined Russian servers— have remained consistent since the malware was first profiled in 2015.

The usual array of security measures applied to POS infrastructure should provide reasonable protection against POSeidon, yet the actors continue operations, which likely means they’re nevertheless finding soft targets. Data within RiskIQ PassiveTotal was used to uncover other suspicious elements that appear to be related to the threat, including a list of malware hashes associated with one particular domain that ultimately revealed a hotbed of FindPOS activity.

Details

POSeidon appears to have evolved from the Backoff POS malware family. It comes in two stages: a loader function and memory scraper with data exfiltration capabilities. A new sample of the FindPOS/POSeidon/Backoff POS malware (MD5: f5d38b1a0b754e8557a4ca9ae7679b79) was uploaded to VirusTotal on 2-26-2018. This malware also implements a keylogger and also steals card data from POS memory.

The malware appears to have been compiled on January 22, 2018, which suggests approximately a month of activity in the wild before discovery. Based on sandboxed traffic analysis, this is version 13.91L of the malware.

The malware initiates HTTP POSTs to the Command & Control point server http://tahedtfitert[.]com/iqleb/viewtopic.php (185.164.34[.]17) with the User-Agent value “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)”. When sandboxed, the malware made four additional attempts to resolve domains that did not resolve. These were:

lingharsandsit[.]com
otnoleftthat[.]ru
ferenrofhers[.]ru
johnbabterre[.]ru

Another instance of the FindPOS malware (MD5: 2de7d7cbee7806364864e756af7efa4f) used the same tahedtfitert[.]com domain between November and late December of 2017.

The IP address 185.164.34[.]17 was also used by another malware sample (MD5: 482bb92eaf158ac956d44ee426232f5d) uploaded to VirusTotal from Ukraine on 1-17-2018 and detected by several anti-malware vendors as the Kuluoz spambot or an associated loader. The domain used by this malware was fastandstrongwolf[.]com (which previously resolved to Russian IP address 91.195.102[.]17 between 2-6-2017 and 12-28-2017 and is associated with at least 37 additional malware hashes).

Additional samples using the same domain recently detected as of 3-1-2018 include MD5: 294e42ce05b5ad2b2ba81ea63f20d469. Other domains used by the same IP address include dornegromant[.]com and moskalbezsala[.]ru. A Larger cluster of activity can be found by pivoting on various elements from these domains and malware samples as needed.

The actors behind FindPOS continue to use some of the TTPs that have been documented by various security researchers to include the following:

https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/ (2015)

https://blogs.cisco.com/security/talos/poseidon (2015)

https://blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/ (2015)

https://www.trustwave.com/Resources/SpiderLabs-Blog/PoSeidon-Completionist/ (2016)

https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/poseidon (2016)

https://vallejo.cc/2017/07/12/analysis-of-poseidon-downloader-and-keylogger/ (2017)

http://archive.is/1NOhG (2017)

Detection

Many anti-malware vendors detect the malware; however, packing may complicate detection. The anti-malware company DrWeb detects many samples from 2017 campaigns as Trojan.FindStr. The Emerging Threats signature “ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC),” or modern equivalent may be useful for detection purposes.

Previously observed malware-centric TTPs/IOC elements that are still present include the following:

User-Agent value (documented above) has remained consistent
The use of viewtopic.php for C2/exfiltration purposes
The use of filenames WinSrv.exe
The deletion of the original sample with a cmd shell command “/c del <filename> >> NUL”
Data exfiltration pattern remains consistent

TTPs not previously documented (observed inside at least one recent sample) include:

The use of the MPRESS packer (designated by the presence of .MPRESS1 and .MPRESS2 inside the binary)
Consistent use of a file description “Advanced SystemCare ReProcess”

Indicators of Compromise and suspicious elements

C2 or Data Exfiltration Servers:

37.230.228[.]41

91.195.102[.]17

91.199.149[.]110

176.9.167[.]53

185.164.34[.]17

185.164.34[.]21

185.17.120[.]175

fastandstrongwolf[.]com

thetriningtan[.]com

nathatrabdint[.]com

Suspicious domain registration email

catagmarc616[@]gmail.com

Malware download sites

http://162.219.29[.]86/guparl.exe

http://garthalla[.]net/teletecupdate.exe

http://206.54.191[.]17/kabiql.exe

http://funtrail[.]com/teletecupdate.exe

File description

Advanced SystemCare ReProcess

Malware hashes

f5d38b1a0b754e8557a4ca9ae7679b79

2de7d7cbee7806364864e756af7efa4f

482bb92eaf158ac956d44ee426232f5d

294e42ce05b5ad2b2ba81ea63f20d469

019bd0094213ab70c72c65c7a90215f7

46736c218dffd46ac07171315cc956a5

d8de5785e9388abb3161484964cfe2bc

c392972abfe187e47bf22d70b7d5ff3a

db345966bd0ae3dfbad899bc5a955b62

0c9dbe456591b8b047058486e179a641

31103996926d5f2f7607f528c1db8dbb

e9717e56f3e59eb2bbf7c6f82b786257

dbfb398cbec3b00be62d80003b66e6bb

50fd395d9ee943796ad85043b5ab7f41

d3a967107316a16a4b9e019613f6bd53

32bcf4961a27f8d7dbc0dadbf9e8c7cb

c1a0582dc71d77ffef8ebe9ff61c3c52

2ccb652dcc7e9f7a034537c6b3496084

40900f4955ae8f354d0021e534be92f9

b91479cfbed23097935c8d6fdf9c1e2e

915d25acba2f981ae1d0672cde0d9b7e

ffcc71faaf174d19c6a7da1353c3275a

5136de3a069166211fa193dd81ace0a5

6fd3b8a06d4bbfaee5fc4cbc82811a31

3885c4a8511e394d0e92ac2242e1b18f

3a7e18932b4321e79fbac15a48c8ff9d

985fb486b65aa188bb6fa95bac50a4ac

All above hashes associated with IP address 91.195.102.17 and resprents activity from Mid – late 2017. This IP address is owned by FastVPS in Prague. Their IP address range is 91.195.102.0/24 and also AS43661.

Possibly related elements found on the same infrastructure

26f273e8e6d4d459415929ad59601ac9 Japanese elements (.NET, may not be FindPOS)
7ae2cdc5aa554dba1a8fe230b5b0823f

Other domains registered with catagmarc616@gmail.com

downorlyref.com

muchmauldun.com

lyhertenhis.com

wilronwarat.com

nyhersninghis.com

withuldsinspar.com

fastandsmartbob.com

lobuthatwith.com

hidownsitbo.com

fornotthehow.com

golfteec.com

lotofthersret.com

himbabresbo.com

toldpardowntan.com

1tradeline.com

toldhapsinspar.com

authorizenet24.com

palittnagu.com

myhertranrin.com

netojusbowit.com

gowronnogot.com

babbowitwas.com

titnotulddown.com

rideerwash.com

sinsathatoft.com

hinotlefthers.com

thejustonetoft.com

usedintgould.com

hisgotinla.com

hersthenjustoft.com

aningthenred.com

hadrylego.com

withtylebet.com

nataranrep.com

nalerowhe.com

keinketone.com

renevengsoet.com

herlingrobdo.com

fastandstrongwolf.com

bignewtankforme.com

hitorsletna.com

suhanbutar.com

herstihenone.com

pdccbiz.com

hancetotsa.com

rinmisupher.com

taronwifi.com

hatannaso.com

repterkinmo.com

feenloning.com

dintlachertsu.com

iphone-block.com

hedttalhemut.com

derby-ltd.com

hedthowtorspar.com

jecdinthimlac.com

hadhesusela.com

oneperronter.com

cysupkintold.com

refkeromning.com

lotihecter.com

usethengaher.com

vertoldrighbi.com

icfthai.com

WHOIS data on unresolved domain lingharsandsit.com

Butenin.Stanislava.1988@gmail.com

Domains registered to this email address

myhecksitot[.]com

teathowhep[.]com

wilhedseddin[.]com

littarhapone[.]com

unhesrowrab[.]com

googm[.]org

macapi[.]net

linuxapi[.]net

winnapi[.]com

disithedtse[.]com

hertritbowi[.]com

gebetuseco[.]com

lingharsandsit[.]com

tahedtfitert[.]com

arrepsinrab[.]com

andrejoter[.]com

gedidnundno[.]com

tkazan[.]com

hiros9guild[.]biz

tontrittitof[.]com

otlacharny[.]com

butenrestold[.]com

cilysitma[.]com

derby-au[.]net

torsharucal[.]com

utunsitta[.]com

hentonsinsit[.]com

doteraningge[.]com

undditotal[.]com

kznext[.]com

schilderijenexpoint[.]com

kazantele[.]com

dreamhost4u[.]net

kzgmail[.]com

tanhindinttoft[.]com

fortroledin[.]com

inspartorswa[.]com

dintretrewor[.]com

amz-n[.]net

amz-n[.]org

undsadaso[.]com

calsandhefe[.]com

nogeningthet[.]com

hegheconekin[.]com

roprewonewit[.]com

heccosedrigh[.]com

fast-deliveryservice[.]com

aningtorsfave[.]com

sedhahenthet[.]com

wassremarew[.]com

coin-trade24[.]com

enhinningwith[.]com

toftrowsene[.]com

parhecotevent[.]com

tinrewrebtert[.]com

pathathifi[.]com

sihersronligh[.]com

daheridhar[.]com

warentanling[.]com

leftdomibut[.]com

tottonshowrec[.]com

hectofhad[.]com

terningsand[.]com

roledsup[.]com

waswadint[.]com

onetedidn[.]com

jodidnhowtont[.]com

dintromparsup[.]com

redwassheptal[.]com

hattertatrof[.]com

jushenfoti[.]com

About PassiveTotal

PassiveTotal's ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.

Featured Posts

External Threat Management

The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...

#TwitterHack: How RiskIQ Data Exposed Hundreds of Domains Belonging to the Attackers

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill G...

Partner Deep-Dive: RiskIQ Security Intelligence Services for Splunk

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Datasheet