Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software

May 10, 2016
Matthew Mesa, Darien Huss

Much attention has been focused recently on ransomware and other threats that go after consumers and businesses directly for monetary payouts. Still, point-of-sale (POS) malware continues to be an important source of stolen credit card data and associated revenue for cyber criminals.

The ongoing rollout of chip-and-pin credit cards and tighter standards following the retail megabreaches of 2014 have put further pressure on the POS malware black market. But as we have seen with the AbaddonPOS malware described here, POS malware is not just alive and well—it’s being actively developed.

On May 5, a financially motivated actor whom Proofpoint has been tracking as TA530 (also featured in our previous blog post "Phish Scales" [1]) sent out a highly-personalized email campaign targeting primarily retail companies and attempting to install TinyLoader and AbaddonPOS point-of-sale malware. The retail vertical was likely chosen due to the higher likelihood of infecting a POS system. We first observed AbaddonPOS when it was delivered by Vawtrak [2] in October of 2015. We have also found that TinyLoader and AbaddonPOS have since been updated in several ways.

 

Delivery Details

The messages we observed used subjects such as “Group Booking at [company name]” and the personalized attachment names such as:

  • [company name].doc
  • [company name]_booking.doc
  • [company name]_reservation.doc

The example message shown in Figure 1 uses the recipient's name in the email body and the company’s name in the email body and the attachment name. The attachment, shown in Figure 2, uses an interesting lure. It depicts an image of a spinner one would expect to see when content is loading and asks the user to enable content.

Clicking the “Enable Content” button enables the malicious macro, which then begins the infection by downloading TinyLoader, which in turn downloads AbaddonPOS.

Most of the messages we saw were delivered to retail companies (Figure 3).

settingsights-1.png

Figure 1: Example email delivering TinyLoader

settingsights-2.png

Figure 2: Example document delivering TinyLoader

settingsights-3.png

Figure 3: Top targeted verticals by message volume

 

Payload Analysis

TinyLoader

The variant of TinyLoader used in this campaign is similar to the one we previously had analyzed in connection with AbaddonPOS. One significant change includes the addition of a basic 4-byte XOR layer of obfuscation over the shellcode that is received from the command-and-control (C&C) server (Figure 4).

settingsights-4.png

Figure 4: TinyLoader decoding and executing shellcode received from C&C

The XOR key is dynamically generated by the C&C and is different in every session. Once the shellcode is decoded, execution is immediately passed to the decoded shellcode. Although the controllers of TinyLoader could theoretically perform any action through custom shellcode, we are still observing this family of malware being used as a downloader. Figure 5 shows a TinyLoader response containing encoded shellcode to build a fake HTTP request used to download a payload.

settingsights-5.png

Figure 5: Encoded response received from TinyLoader C&C

Once the shellcode is decoded, the strings used to craft an HTTP request can be seen (Figure 6). After this code is loaded, the TinyLoader C&C operator(s) is free to provide a target IP and URI to instruct an infected bot to retrieve a payload.

settingsights-6.png

Figure 6: Decoded TinyLoader shellcode used to build HTTP request

In this campaign, we observed the initial TinyLoader payload retrieve another TinyLoader payload that connected to a different C&C. This new TinyLoader infection then received another instruction to download a different payload (Figures 7 and 8), which was a new variant of AbaddonPOS.

settingsights-7.png

Figure 7: TinyLoader receiving instructions to download AbaddonPOS

settingsights-8.png

Figure 8: TinyLoader HTTP request to download AbaddonPOS

 

AbaddonPOS

The AbaddonPOS downloaded in this campaign functions much like the original samples we discovered. It does, however, include a few significant changes:

  • Optimized code for checking blacklisted processes (processes that will not be checked for credit card data)
  • Whitelisted process list of potential point-of-sale (POS) related process names (these are the only processes that will be scanned for POS data)
  • The exfiltration XOR key has been changed

AbaddonPOS whitelisted process name checking now uses a single string of partial process names (6-bytes each) concatenated together. Both the common process name blacklist and POS process name list (see Process List section) are stored in allocated memory at static offsets (Fig. 8), 0x1A8 for the blacklist and 0x5B4 for the POS process list.

 

settingsights-9.png

Figure 9: AbaddonPOS storing process lists for later use

AbaddonPOS utilizes both lists separately from each other. That means the common process name list has no effect on the POS name list. Both lists are also checked using the exact same code. However, different results occur based on whether execution is currently in the main thread or a spawned thread. The authors use a hardcoded 0x0C0C0C0C value (Fig 10) to implement this tracking capability.

settingsights-10.png

Figure 10: AbaddonPOS saving main thread identifier

Before checking the process name against either of the lists, the running process name will first be converted to lowercase (Fig. 11). Whether the current execution exists inside the main thread or a spawned thread is checked next. If 0x0C0C0C0C is found, then AbaddonPOS knows it is in the main thread and so will prepare to check process names against the common process name blacklist (Fig. 12). If 0x0C0C0C0C is not found, then the POS process name list will be used.

settingsights-11.png

Figure 11: Change uppercase letters to lowercase

settingsights-12.png

Figure 12: Utilizing process list depending on whether execution is in main or spawned thread

Similar to older AbaddonPOS variants, the first 4-bytes of the process name will be checked first (Fig. 13, A). If they are equal, then the next 2-bytes are checked (Fig. 13, B). If the second check was successful then thread context will be checked again (Fig. 13, C). If the current execution is in the main thread then the current process will be skipped (Fig. 13, D), while in a spawned thread context the process would be opened and searched for POS data (Fig. 13, E).

Depending on which context is being executed, different behavior will occur when the process name being checked does not match anything in the hard coded lists. If in the main execution context and no matches were found, then the process will be opened and checked for POS data (Fig. 13, F), while if in a spawned thread context, the process would not be opened and checked (Fig. 13, G).

This peculiar implementation effectively nullifies the POS process name list because the main thread would eventually search for POS data in all processes not matching the common process name blacklist, including all of the POS processes.

This implementation could result  from a mistake on the part of the malware author, but it seems more likely that the author is testing various blacklist/whitelist implementations in this sample. Dedicating a thread to only processes with known POS-related names ensures a thread is always scanning those processes more often vs. the main thread used to scan all non-system related processes. Also, it would not be surprising to eventually see AbaddonPOS variants that contain only the common process name method or POS process name method rather than both.

settingsights-13.png

Figure 13. Process name comparison code

Some minor changes were also made to the way stolen credit card data is exfiltrated. First, the IP address is no longer stored as an ASCII string (Fig. 14). That also means the inet_addr API is no longer needed. Finally, the hardcoded XOR key was changed to 0x4C5D6E7F (Fig. 15). 

settingsights-14.png

Figure 14: Hardcoded C&C IP address and port

settingsights-15.png

Figure 15: New exfiltration XOR key

Although the second XOR key was changed, the overall method of encoding and exfiltration of the data has stayed almost identical (Fig. 16, 17) when compared to our previous analysis.

settingsights-16.png

Figure 16: Encoded exfiltrated credit card data

settingsights-17.png

Figure 17: Decoded exfiltrated credit card data

 

Conclusion

We continue to see TA530 periodically send email-borne threats to target point-of-sale systems using personal details to increase the chances of infection.

TinyLoader and AbaddonPOS are under active development. We expect both to continue to appear in email attacks as cybercriminals target point-of-sale systems to harvest credit card data. Despite changes in the credit-card landscape and more stringent PCI DSS compliance requirements, credit card-related cybercrime remains profitable for threat actors when it can be conducted at scale. Comprehensive email, network, and endpoint protection—along with user education—remain the best ways to protect systems and customer data.

 

References

[1] https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs

[2] https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak

 

AbaddonPOS Process Lists

Common process name blacklist

cmd.ex

conhos

dllhos

excel.

explor

lsass.

mmc.ex

dwm.ex

csrs.e

winlog

clamsc

regsvr

mobsyn

rundll

runonc

spools

svchos

taskho

winwor

system

winini

smss.e

lsm.ex

csrss.

search

notepa

 

POS process name list

active

mercur

ocius4

rs232m

sdpdvk

sihot.

unilec

focus8

ehubem

fdfdo.

cashbo

cps.po

powerp

saleso

finedi

pointo

infigm

adrm.e

afr38.

aldelo

araavl

aracs.

bestpo

bosrv.

cardau

cashcl

checki

cre200

cross.

crosss

cxsret

ddcdsr

dovepo

dsihea

eagles

electr

fincha

invent

isspos

issret

magtek

nails1

omnipo

paymen

paymen

pixela

pos24f

posini

prm.cl

ptserv

qbdbmg

qbpos.

qbposs

retail

rmposl

roomke

rpro8.

rwpos.

sales3

soposu

spaint

telefl

transa

utg2sv

visual

wickr.

xcharg

 

Indicators of Compromise (IOC)

Table 1: Indicators of Compromise

IOC IOC Type Description
7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0 SHA56 Hash Example macro document
e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace SHA56 Hash Initial TinyLoader download
b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734 SHA56 Hash TinyLoader update
24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312 SHA56 Hash AbaddonPOS
[hxxp://dolcheriva[.]com/img/del/a/cg-bn/word.exe] URL Example TinyLoader download
[hxxp://50.7.124[.]178/file.e] URL Example TinyLoader update download
[hxxp://85.93.5[.]136/ZRH4J2/P_KYJ3gxEhTpasmJxz.d] URL Example AbaddonPOS download
50.7.124[.]178:30010 IP TinyLoader C2
85.93.5[.]136:50010 IP TinyLoader C2
85.93.5[.]136:50011 IP AbaddonPOS C2
CHAMEL1ON Mutex TinyLoader mutex

 

Select ET Signatures that would fire on such traffic:

2022658 || ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)

2812523 || ETPRO TROJAN TinyLoader.C CnC Beacon x86

2812524 || ETPRO TROJAN TinyLoader.C CnC Beacon x64

2814778 || ETPRO TROJAN TinyLoader.D CnC Beacon x86

2814779 || ETPRO TROJAN TinyLoader.D CnC Beacon x64

2814803 || ETPRO TROJAN Win64.TinyLoader CnC Beacon

2814810 || ETPRO TROJAN TinyDownloader Retrieving PE

2816697 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 5

2816698 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 6

2816699 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 7

2816700 || ETPRO TROJAN AbaddonPOS Exfiltrating CC Numbers 8