Friday, 7 December 2012

Point-of-Sale and memory scrappers

I got access to a compromised POS recently (thanks Zora)

POS Designer:

POS interface (password protected)

The guys who hacked it first leaved alot of traces... gentlemen i present to you... rome0/Amnesia

For the story, rome0 is a French carder, you can read a repport about him here: http://trackingcybercrime.blogspot.fr/2012/05/inside-french-cybercriminel.html


The TO TXT.exe file is interesting
iZER0x... hmm yes i've already see this.
*\AC:\Users\iZER0x\Desktop\supern0va\france\Project1.vbp
*\AC:\Users\iZER0x\Desktop\shitz\PickPockeT\bot\xD\New Folder\Project1.vbp

More strings:
This file is actually a downloader/dropper for rdasrv but the site look's dead.
vcc-vba.com/a.dll
vcc-vba.com/x.exe

scumware.org have an hash for x.exe
That was not really hard to find i even already posted it on a forum.

After searching the sample no surprise... rdasrv.

vcc-vba advert:

I will not explain you the life about how rdasrv work, Sophos guys already expalained it here:
http://nakedsecurity.sophos.com/2011/11/30/targeted-attacks-steal-credit-cards-from-hospitality-and-educational-institutions/


ESET is broken on the compromised system:

"I got access to a teller machine"

"Still Looking URL from RDP website"

"need Hacker with good knowledge into Pos malware/Decrypting Pos"

You can also view mmon.exe, file is the same as my previous post about POS malware:
http://www.xylibox.com/2012/03/pos-carding.html

Some logs was saved.


dbgview log (at first i've not understand why DebugView was here):

Task scheduler:
Probably used to run a ram scrapper each x mins.

mm1.exe is one of these ram scrappers found, first time i see this one.

Algo to detect track2:


Show the track2 in console:



CBTools:

I've found also a good ram scrapper named 'mm_bot.exe' probably a custom piece.
When run, it copy himself in %APPDATA%/Google/svchost.exe add registry persistance (HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load), run the copy and melt the original file then it read process for track2, get pc infos encode everything with a lame key and send that to a server.
(sad, server is dead)
Everything hidden but infos are show via OutputDebugStringW, at first i've not understand why i've found debugview but now it's clear for me.


Get username/pc name:

Scan process


Track2 grab:

Encode grabbed data

 Send dumps via POST req to 109.75.176.63/forum/post.php

AV seem don't know it, 3/45 all generic according to VirusTotal: https://www.virustotal.com/file/bea36957edeab025bdad5a04daa317f913212103a2bde608529ea18d978e7d45/analysis/1354666164/

RAM scrapers are used mainly to supply carding shops and costs from 100$ to 3000$ depending on features.
If you looks for samples: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1756



10 comments:

  1. Very suspicious, how did you get access anyway?

    ReplyDelete
  2. access to the POS or the server used by malware ?

    ReplyDelete
  3. Like the article, good work as usual :)

    --Zora ;)

    ReplyDelete
  4. What does these softwares actually do?
    Write data to a magnet card?
    or they are installed in real shops like auchan, tesco to the cashing out machine?

    ReplyDelete
  5. The malware is used to extract T1/T2 data from a Point of Sale machine/terminal. So it's the data that's on the magnetic strip on the back of your cards. Therefore, it is installed in stores so that they can retrieve the info and use it maliciously.

    ReplyDelete
  6. how does the PoS merchant get infected? are they on systems connected to the internet? or is this an inside job type...

    ReplyDelete
    Replies
    1. most of time yeah they are just connected to internet via VNC or RDP, hackers just can network and hope for weak passwords

      Delete
  7. How is it spreading? POS terminal don't typically navigate webpages or email, and it's not economical to scan IP ranges for vulnerable services anymore. I also don't think any malware is brute forcing SMB anymore to do RPC execution.

    Thanks

    ReplyDelete
  8. I didn't realize people were still scanning entire WAN IP ranges looking for vulnerable services.. My only guess is the POS is on LAN and there are machines with poor security that end up on botnets..

    ReplyDelete