Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.
Remote access tools, or RATs, are an integral part of the cybercrime toolbox. For example, a recent FireEye investigation into XtremeRAT revealed that it had been propagated by spam campaigns that typically distribute Zeus variants and other banking-focused malware. This tactic may stem in part from the realization that compromising retailers can net millions of credit card numbers in one fell swoop.
Malware designed to compromise point-of-sale (POS) systems is not a new phenomenon. But we have seen a recent surge in malware that specifically targets these systems (e.g. Chewbacca, Dexter, BlackPOS and JackPOS). Moreover, POS malware is being deployed in an increasingly targeted manner. For example, some attacks against retailers have been characterized as “APT style” attacks — a designation traditionally reserved for malware-based espionage sponsored on some level by nation-states.
The extent to which such attacks are targeted, and not opportunistic, is unclear. The attackers could be singling out specific retailers in advance. Or they could be targeting an entire industry, simply capitalizing on opportunities that arise.
In this blog post, we examine one case that clearly illustrates the nature of this problem.
The suspicious email shown in Figure 1, which was sent to several companies, prompted us to take a closer look.
Figure 1: Malicious email with JAR attachment
The content of the email is consistent with traditional spam messages that typically propagate banking Trojans. It does not appear to target the recipients specifically. The attachment is a Java archive file (JAR). When executed, the JAR file attempts to download and run an EXE from a remote location. The JAR does not contain a Java exploit per se; it simply uses java.net.URLConnection class to download the executable (since it is not running inside a sandbox).
The file "CUP retrieval request for 18 Feb 2014.jar" (2fd3c07ac16393723b528ca29a028c00) contains the following:
Size Compressed Name
42 50 cfg/config
104 106 META-INF/MANIFEST.MF
3905 2212 CrossPlatformInstaller.class
The “config” file contains the location of the EXE to be downloaded:
The file “acrord.exe” connects to rglink77[.]no-ip[.]biz / 22.214.171.124.
The payload in this case is the Netwire RAT. Netwire emerged in 2012. It can be used to build malware for multiple operating systems, including Windows, MacOS, and Linux. The RAT is marketed on a variety of underground forums, selling for $40–$140.
This sample was configured with the tag “UNIPAY”, so that the attackers know which hosts were compromised during this campaign.
While looking at the server hosting the file, which appears to be a compromised — but otherwise legitimate — website, we found an additional Netwire sample:
|8b0cd4952da32523524b1d30822ef0a8 8b0cd4952da32523524b1d30822ef0a8||adobe.exe adobe.exe||c0der.zapto.org c0der.zapto.org||126.96.36.199 188.8.131.52|
We also discovered a simple tool that is used to extract email addresses. We found the output of this tool, which consisted of a list of 8,507 email addresses. It also contains the email that was used by the “sender” and its recipient (although we have seen other recipients that are not on this list).
The list contains 1,351 domains that primarily appear to be banks, financial services companies (money transfer / exchange, investment), and businesses (such as shipping, engineering, IT) in the Middle East and Asia. In other words, these attackers are interested in a wide variety of targets.
A website statistics package on the server reveals that “acrord.exe” had been downloaded 802 times. This indicates that up to 9.4% of the targets may have opened the malicious attachment — and thus may have been compromised.
In addition to the Netwire RAT, the attackers are also using the DarkComet RAT. DarkComet has been available for free since 2008. It is popular on a variety of underground forums and used by a wide range of actors for many purposes. (After reports indicated that DarkComet was used in connection with the conflict in Syria, the creator of DarkComet, DarkCoderSC, created a removal tool and ultimately quit developing the RAT).
In this case, the attackers used an older version of DarkComet (4.0) and specified the ID of “Email”, which probably indicates the attack vector for this campaign.
|ae6b419f4eb619d4be45dbfe6660a670 ae6b419f4eb619d4be45dbfe6660a670||oni.exe oni.exe||privatecode.zapto.org privatecode.zapto.org||184.108.40.206 220.127.116.11|
|12d8469512b581b60d7d5cce0733904d 12d8469512b581b60d7d5cce0733904d||dcr.exe dcr.exe||privatecode.zapto.org privatecode.zapto.org||18.104.22.168 22.214.171.124|
We also found that the attackers were using JackPOS, a malware tool that has been previously used in successful attacks. JackPOS can dump memory and look for Track 1 and Track 2 credit card data using regular expressions. This data is then uploaded to a command-and-control (CnC) server.
|e7f1ba73cca6d99819d27216d09ecbbb e7f1ba73cca6d99819d27216d09ecbbb||spp.exe spp.exe||akuna.mcdir.ru akuna.mcdir.ru||126.96.36.199 188.8.131.52|
We don’t know how the attackers were deploying JackPOS in this particular case, but we suspect that once targets of interest were identified using either Netwire or DarkComet, the attackers would then deploy JackPOS to steal credit card information.
The attackers in this case are also using a Carberp-based Trojan that has VNC capabilities that we call “handsnake.” This Trojan is described in more detail in a Polish-language white paper.
|aa8268ed9f8b32b708f50b56347075ab aa8268ed9f8b32b708f50b56347075ab||xxx.exe xxx.exe||184.108.40.206 220.127.116.11|
Upon execution, the malware begins communication with the CnC server. The decrypted beacon is:
XP Professional Service Pack 3 (build 2600); English (United
At this point, the attackers can use the remote desktop function of the VNC component to take full control of the compromised system.
In addition to the RATs and POS malware described above, we have also seen the attackers deploy the Zeus banking Trojan. They are using version MMBB 18.104.22.168, which has been previously described here.
|667c4f78fc1aeb45700734accc85e402 667c4f78fc1aeb45700734accc85e402||xbot.exe xbot.exe||22.214.171.124 126.96.36.199|
When executed, the malware connects to the CnC server to download the “config” file, which contains the “webinjects” to be used:
GET /modules/config.bin HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
The only major difference between this version of Zeus and previous versions is the shift from RC4 encryption to AES encryption.
The world of cybercrime features a broad spectrum of bad actors. On one end, highly focused state-sponsored attackers use custom tools and zero-day exploits. On the other end, “commodity” cybercriminals use widely deployed exploit kits that indiscriminately compromise thousands of systems around the globe.
In the middle are (at least) “fifty shades of grey.” One class of attacker mixes publicly available malware platforms and custom tools. These latter cases suggest that it is not always easy to estimate the size or sophistication of an adversary simply by finding one piece of what may be a far larger puzzle.
Acknowledgement: We thank Thoufique Haq for his support, research, and analysis on these findings.