Payment processing devices continue to be prime targets for threat actors to compromise payment card data. Often, this can be because POS terminals are located in public areas, such as restaurants and bars, and can be accessed and infected via wireless networks or physical means, such as USB drives inserted into POS terminals. An ongoing POS malware variant has been found in a number of retail organizations, and this research provides some insight into IOCs that have been found in environments that have been infected.
The POS malware FindPOS, also known as POSeidon, is still present in the wild with researchers still observing new developments. The threat is deployed against dining, hospitality, and kiosk vendors. Tactics, Techniques, and Procedures of threat actors using this malware—attempting to steal both keystrokes and credit card numbers stored in system memory by scanning RAM for credit cards and then encrypting and exfiltrating data to predefined Russian servers— have remained consistent since the malware was first profiled in 2015.
The usual array of security measures applied to POS infrastructure should provide reasonable protection against POSeidon, yet the actors continue operations, which likely means they’re nevertheless finding soft targets. Data within RiskIQ PassiveTotal was used to uncover other suspicious elements that appear to be related to the threat, including a list of malware hashes associated with one particular domain that ultimately revealed a hotbed of FindPOS activity.
POSeidon appears to have evolved from the Backoff POS malware family. It comes in two stages: a loader function and memory scraper with data exfiltration capabilities. A new sample of the FindPOS/POSeidon/Backoff POS malware (MD5: f5d38b1a0b754e8557a4ca9ae7679b79) was uploaded to VirusTotal on 2-26-2018. This malware also implements a keylogger and also steals card data from POS memory.
The malware appears to have been compiled on January 22, 2018, which suggests approximately a month of activity in the wild before discovery. Based on sandboxed traffic analysis, this is version 13.91L of the malware.
The malware initiates HTTP POSTs to the Command & Control point server http://tahedtfitert[.]com/iqleb/viewtopic.php (185.164.34[.]17) with the User-Agent value “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)”. When sandboxed, the malware made four additional attempts to resolve domains that did not resolve. These were:
Another instance of the FindPOS malware (MD5: 2de7d7cbee7806364864e756af7efa4f) used the same tahedtfitert[.]com domain between November and late December of 2017.
The IP address 185.164.34[.]17 was also used by another malware sample (MD5: 482bb92eaf158ac956d44ee426232f5d) uploaded to VirusTotal from Ukraine on 1-17-2018 and detected by several anti-malware vendors as the Kuluoz spambot or an associated loader. The domain used by this malware was fastandstrongwolf[.]com (which previously resolved to Russian IP address 91.195.102[.]17 between 2-6-2017 and 12-28-2017 and is associated with at least 37 additional malware hashes).
Additional samples using the same domain recently detected as of 3-1-2018 include MD5: 294e42ce05b5ad2b2ba81ea63f20d469. Other domains used by the same IP address include dornegromant[.]com and moskalbezsala[.]ru. A Larger cluster of activity can be found by pivoting on various elements from these domains and malware samples as needed.
The actors behind FindPOS continue to use some of the TTPs that have been documented by various security researchers to include the following:
Many anti-malware vendors detect the malware; however, packing may complicate detection. The anti-malware company DrWeb detects many samples from 2017 campaigns as Trojan.FindStr. The Emerging Threats signature “ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC),” or modern equivalent may be useful for detection purposes.
Previously observed malware-centric TTPs/IOC elements that are still present include the following:
- User-Agent value (documented above) has remained consistent
- The use of viewtopic.php for C2/exfiltration purposes
- The use of filenames WinSrv.exe
- The deletion of the original sample with a cmd shell command “/c del <filename> >> NUL”
- Data exfiltration pattern remains consistent
TTPs not previously documented (observed inside at least one recent sample) include:
- The use of the MPRESS packer (designated by the presence of .MPRESS1 and .MPRESS2 inside the binary)
- Consistent use of a file description “Advanced SystemCare ReProcess”
Indicators of Compromise and suspicious elements
C2 or Data Exfiltration Servers:
Suspicious domain registration email
Malware download sites
Advanced SystemCare ReProcess
All above hashes associated with IP address 184.108.40.206 and resprents activity from Mid – late 2017. This IP address is owned by FastVPS in Prague. Their IP address range is 220.127.116.11/24 and also AS43661.
Possibly related elements found on the same infrastructure
26f273e8e6d4d459415929ad59601ac9 Japanese elements (.NET, may not be FindPOS)
Other domains registered with firstname.lastname@example.org
WHOIS data on unresolved domain lingharsandsit.com
Domains registered to this email address
PassiveTotal's ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.