Multiple Threats to the Retail and Financial Industries

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

  • This field is for validation purposes and should be left unchanged.

Multiple Threats to the Retail and Financial Industries

This is a security alert for all TruShield clients, the retail industry, the financial services industry, and the community at large. TruShield has learned of increased point-of-sale malware activity and a linked financial threat actor.

Overview

Within the last week security researchers at several companies have discovered new details about the ongoing malware barrage on POS systems, banks, and financial institutions. One discovery relates to the TinyLoader backdoor, which is now known for multiple POS malware strains. Roughly a year ago, this was only known for spreading AbaddonPOS, but as of late it has not only been linked to TinyPOS, but also TinyLoader and AbaddonPOS have both been altered. A second finding involved alterations to several malware loaders used against financial institutions with a few noteworthy links. The related malware families are Hancitor, Ruckguv, and Vawtrak. Researchers at Proofpoint have indicated that one threat actor is likely behind the recent alterations.

Delivery and Updates

In each of these cases the most well-known delivery method for the malware is via email campaign. The subject line varies from one malware family to another, but the emails generally contain malicious macro office document attachments. Hancitor and Ruckguv families mainly involve a “debt”, “tax”, or “IRS” related subject. For TinyLoader and AbaddonPOS the subject lines center around the targeted company and a “booking” or “reservation”. TinyLoader is focused on stealing system information, enumerating processes, and spying on a system with a screenshot mechanism, but later on it may deliver a true malware payload. It was also recently determined that it is responsible for updating AbaddonPOS malware. Experts at Trend Micro were able to verify the link between AbaddonPOS and TinyPOS based on several findings. These findings include: very similar functionality and process monitoring, shared C&C infrastructure, and similar means of spreading in targeted usage. Hancitor has been altered primarily in the information it gathers and transmits an edition of a DLL execution function. Ruckguv has been modified to also add a DLL execution function, use ROT13 on file names rather than payload URLs, use only a single file name for any payload download, and use different functions for downloading. Vawtrak is where this campaign and the POS campaign meet, since it has been associated with a threat actor and can also download TinyLoader or turn the compromised machine into a spam relay to further the campaign.

Trends to Monitor

Both of these campaigns should be carefully compared and observed. There are marked similarities that point to the possibility of a single actor being responsible for the vast majority of infections with the mentioned POS malware and loader malware. Additionally, each of these families went dormant for several months and then resurfaced with new capabilities in a short time frame. Effectively, such an actor could be aiming at two sides of a transaction to maximize returns. There is even the possibility that a larger swath of Vawtrak infections will be seen on the heels of the Angler EK alterations earlier this month, since Vawtrak was distributed through Angler EK in the past. Infections seen across multiple industries clearly indicate that proactive steps need to be taken before another phase of malicious alterations affects an unprecedented amount of businesses, institutions, and consumers.

Indicators of Compromise

 

SHA 256 Hashes for TinyLoader and AbaddonPOS
7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0
e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace
b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734
24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312
SHA 256 Hashes for Hancitor, Ruckguv, and Vawtrak
9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9
0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba
ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5
5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48
9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df
b1ba251cf4f494a00ff0d64a50004d839928dac816afb81c33af51622baf2c12
Related IPs and Sites
50.7.124[dot]178:30010
85.93.5[dot]136:50010
85.93.5[dot]136:50011
hxxp://logimax[.]net[.]in/ii.exe
hxxp://tourjacket[.]me/ii.exe
hxxp://urbanrecreation[.]eu/ii.exe

 

Mitigation and Prevention

  •  Enable EMV and/or point-to-point encryption solutions on POS terminals.
  • Do not open email that is unexpected or from unknown senders.
  • Use updated antimalware and antivirus products.
  • Compare unknown files with known IOCs.
  • Use application control software with a base deny policy on executables.
  • Isolate infected systems from the network.
  • Monitor systems for registry or file changes.
  • Keep systems patched with the latest updates.
  • Continuously monitor network traffic for C&C activity, including DNS queries.

References

http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/

http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf

https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software

https://securityintelligence.com/news/pos-threats-big-trouble-from-tiny-tag-team/

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf

Download the PDF Version

Leave a reply

Copyright © 2016