=-=-=-=-=-=-= Original message BEGINs here: =-=-=-=-=-=-=
Subject: TA14-212A: Backoff Point-of-Sale Malware
From: US-CERT <
US-CERT@ncas.us-cert.gov>
National Cyber Awareness System:
TA14-212A: Backoff Point-of-Sale Malware [
https://www.us-cert.gov/ncas/a lerts/TA14-212A ] 07/31/2014 07:30 AM EDT
Original release date: July 31, 2014 | Last revised: August 22, 2014
Systems Affected
Point-of-Sale Systems
C2
Overview
This advisory was prepared in collaboration with the National Cybersecuri
ty and Communications Integration Center (NCCIC), United States Secret Se
rvice (USSS), Financial Sector Information Sharing and Analysis Center (F S-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with
the USSS.C2 The purpose of this release is to provide relevant and ac
tionable technical indicators for network defense against the PoS malware
dubbed "Backoff" which has been discovered exploiting businesses' admini strator accounts remotely and exfiltrating consumer payment data.
Over the past year, the Secret Service has responded to network intrusion
s at numerous businesses throughout the United States that have been impa
cted by the E2809CBackoffE2809D malware. Seven PoS system providers
/vendors have confirmed that they have had multiple clients affected. Rep orting continues on additional compromised locations, involving private s
ector entities of all sizes, and the Secret Service currently estimates t
hat over 1,000 U.S. businesses are affected.
Recent investigations revealed that malicious actors are using publicly a vailable tools to locate businesses that use remote desktop applications.
Remote desktop solutions like Microsoft's Remote Desktop [
http://apps. microsoft.com/windows/en-us/app/remote-desktop/051f560e-5e9b-4dad-8b2e-fa 5e0b05a480 ][1], Apple Remote Desktop [
https://www.apple.com/remotedesk
top/ ][2], Chrome Remote Desktop [
https://chrome.google.com/webstore/ca tegory/apps?hl
en ][3], Splashtop 2 [
http://www.splashtop.com/download
s-all ] [4], Pulseway [
http://apps.microsoft.com/windows/en-gb/app/pc-mo nitor/9efc1d1c-6816-48bc-8de7-d4b21a5b3589 ] [5] and LogMeIn [
https://s ecure.logmein.com/ ][6] offer the convenience and efficiency of connectin
g to a computer from a remote location. Once these applications are locat
ed, the suspects attempted to brute force the login feature of the remote
desktop solution. After gaining access to what was often administrator o
r privileged access accounts, the suspects were then able to deploy the p oint-of-sale (PoS) malware and subsequently exfiltrate consumer payment d
ata via an encrypted POST request.
Organizations that believe they have been impacted should contact their l
ocal Secret Service field office and may contact the NCCIC for additional
information.
Description
E2809CBackoffE2809D is a family of PoS malware and has been discove
red recently. The malware family has been witnessed on at least three sep
arate forensic investigations. Researchers have identified three primary variants to the E2809CBackoffE2809D malware including 1.4, 1.55 (E2 809CbackoffE2809D, E2809CgooE2809D, E2809CMAYE2809D, E2
809CnetE2809D), and 1.56 (E2809CLASTE2809D).
These variations have been seen as far back as October 2013 and continue
to operate as of July 2014. In total, the malware typically consists of t
he following four capabilities. An exception is the earliest witnessed va
riant (1.4) which does not include keylogging functionality. Additionally
, 1.55 E28098net' removed the explorer.exe injection component
:
* Scraping memory for track data
* Logging keystrokes
* Command & control (C2) communication
* Injecting malicious stub into explorer.exe
The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefull
y stopped. The malware is responsible for scraping memory from running pr ocesses on the victim machine and searching for track data. Keylogging fu nctionality is also present in most recent variants of E2809CBackoffE2
809D. Additionally, the malware has a component that is responsible
for uploading discovered data, updating the malware, downloading/executin
g further malware, and uninstalling the malware.
*_Variants_*
Based on compiled timestamps and versioning information witnessed in the
HTTP POST requests, E2809CBackoffE2809D variants were analyzed o
ver a seven month period. The five variants witnessed in the E2809CBac koffE2809D malware family have notable modifications, to include:
*"1.55 E2809CbackoffE2809D "*
* Added Local.dat temporary storage for discovered track data
* Added keylogging functionality
* Added E2809CgrE2809D POST parameter to include variant name
* Added ability to exfiltrate keylog data
* Supports multiple exfiltration domains
* Changed install path
* Changed User-Agent
*"1.55 E2809CgooE2809D "*
* Attempts to remove prior version of malware
* Uses 8.8.8.8 as resolver
*"1.55 E2809CMAYE2809D "*
* No significant updates other than changes to the URI and version name
*"1.55 E2809CnetE2809D "*
* Removed the explorer.exe injection component
*"1.56 E2809CLASTE2809D "*
* Re-added the explorer.exe injection component
* Support for multiple domain/URI/port configurations
* Modified code responsible for creating exfiltration thread(s)
* Added persistence techniques
*_Command & Control Communication_*
All communication for E2809CBackoffE2809D takes place via HTTP P
OST requests. A number of POST parameters are included when this malware
makes a request to the C&C server.
* op : Static value of E280981'
* id : randomly generated 7 character string
* ui : Victim username/hostname
* wv : Version of Microsoft Windows
* gr (Not seen in version 1.4) : Malware-specific identifier
* bv : Malware version
* data (optional) : Base64-encoded/RC4-encrypted data
The E28098id' parameter is stored in the following location, t
o ensure it is consistent across requests:
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
If this key doesn't exist, the string will be generated and store
d. Data is encrypted using RC4 prior to being encoded with Base64. The pa ssword for RC4 is generated from the E28098id' parameter, a st
atic string of E28098jhgtsd7fjmytkr', and the E28098uiE280
99 parameter. These values are concatenated together and then hashed usi
ng the MD5 algorithm to form the RC4 password. In the above example, the
RC4 password would be E2809856E15A1B3CB7116CAB0268AC8A,D943 (The MD5
hash of E28098vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).
*_File Indicators:_*
The following is a list of the Indicators of Compromise (IOCs) that shoul
d be added to the network security to search to see if these indicators a
re on their network.
*"1.4"*
*Packed MD5:* 927AE15DBF549BD60EDCDEAFB49B829E
*Unpacked MD5:* 6A0E49C5E332DF3AF78823CA4A655AE8
*Install Path:* %APPDATA%\AdobeFlashPlayer\mswinsvc.exe
*Mutexes: *
uhYtntr56uisGst
uyhnJmkuTgD
*Files Written: *
%APPDATA%\mskrnl
%APPDATA%\winserv.exe
%APPDATA%\AdobeFlashPlayer\mswinsvc.exe
*Static String (POST Request):* zXqW9JdWLM4urgjRkX
*Registry Keys:*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
*User-Agent:* Mozilla/4.0
*URI(s):* /aircanada/dark.php
*"1.55 E2809CbackoffE2809D"*
*Packed MD5:* F5B4786C28CCF43E569CB21A6122A97E
*Unpacked MD5:* CA4D58C61D463F35576C58F25916F258
*Install Path:* %APPDATA%\AdobeFlashPlayer\mswinhost.exe
*Mutexes: *
Undsa8301nskal
uyhnJmkuTgD
*Files Written: *
%APPDATA%\mskrnl
%APPDATA%\winserv.exe
%APPDATA%\AdobeFlashPlayer\mswinhost.exe
%APPDATA%\AdobeFlashPlayer\Local.dat
%APPDATA%\AdobeFlashPlayer\Log.txt
*Static String (POST Request):* ihasd3jasdhkas
*Registry Keys:*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
*User-Agent:* Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefo x/24.0
*URI(s):* /aero2/fly.php
*"1.55 E2809CgooE2809D"*
*PaC2 cked MD5:* 17E1173F6FC7E920405F8DBDE8C9ECAC
*Unpacked MD5:* D397D,C9DE41FB5B5D897D1E665C549
*Install Path:* %APPDATA%\OracleJava\javaw.exe
*Mutexes: *
nUndsa8301nskal
nuyhnJmkuTgD
*Files Written: *
%APPDATA%\nsskrnl
%APPDATA%\winserv.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\Local.dat
%APPDATA%\OracleJava\Log.txt
*Static String (POST Request):* jhgtsd7fjmytkr
*Registry Keys:*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
*User-Agent: *
*URI(s):* /windows/updcheck.php
*"1.55 E2809CMAYE2809D"*
*Packed MD5:* 21E61EB9F5C1E1226F9D69CBFD1BF61B
*Unpacked MD5:* CA608E7996DED0E5009DB6CC54E08749
*Install Path:* %APPDATA%\OracleJava\javaw.exe
*Mutexes: *
nUndsa8301nskal
nuyhnJmkuTgD
*Files Written: *
%APPDATA%\nsskrnl
%APPDATA%\winserv.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\Local.dat
%APPDATA%\OracleJava\Log.txt
*Static String (POST Request):* jhgtsd7fjmytkr
*Registry Keys:*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
*User-Agent: *
*URI(s):* /windowsxp/updcheck.php
*"1.55 E2809CnetE2809D"*
*Packed MD5:* 0607CE9793EEA0A42819957528D92B02
*Unpacked MD5:* 5C1474EA275A05A2668B823D055858D9
*Install Path:* %APPDATA%\AdobeFlashPlayer\mswinhost.exe
*Mutexes: *
nUndsa8301nskal
*Files Written: *
%APPDATA%\AdobeFlashPlayer\mswinhost.exe
%APPDATA%\AdobeFlashPlayer\Local.dat
%APPDATA%\AdobeFlashPlayer\Log.txt
*Static String (POST Request*): ihasd3jasdhkas9
*Registry Keys:*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
*User-Agent: *
*URI(s):* /windowsxp/updcheck.php
*"1.56 E2809CLASTE2809D"*
*Packed MD5:* 1,9C0BC18FDF98189457A9D112EEBFC
*Unpacked MD5:* 205947B57D41145B857DE18E43EFB794
*Install Path:* %APPDATA%\OracleJava\javaw.exe
*Mutexes: *
nUndsa8301nskal
nuyhnJmkuTgD
*Files Written: *
%APPDATA%\nsskrnl
%APPDATA%\winserv.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\Local.dat
%APPDATA%\OracleJava\Log.txt
*Static String (POST Request):* jhgtsd7fjmytkr
*Registry Keys:*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481- 4929-888B-49F426C1A136}\StubPath
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481- 4929-888B-49F426C1A136}\StubPath
*User-Agent:* Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefo x/24.0
*URI(s):*C2 /windebug/updcheck.php
Impact
The impact of a compromised PoS system can affect both the businesses and
consumer by exposing customer data such as names, mailing addresses, cre dit/debit card numbers, phone numbers, and e-mail addresses to criminal e lements. These breaches can impact a business' brand and reputati
on, while consumers' information can be used to make fraudulent p
urchases or risk compromise of bank accounts. It is critical to safeguard
your corporate networks and web servers to prevent any unnecessary expos
ure to compromise or to mitigate any damage that could be occurring now.
Solution
At the time this advisory is released, the variants of the E2809CBacko
ff' malware family are largely undetected by anti-virus (AV) vend
ors. However, shortly following the publication of this technical analysi
s, AV companies will quickly begin detecting the existing variants. ItE2
8099s important to maintain upE28090toE28090date AV signatures an
d engines as new threats such as this are continually being added to your
AV solution. Pending AV detection of the malware variants, network defen
ders can apply indicators of compromise (IOC) to a variety of prevention
and detection strategies.[7 [
https://blogs.rsa.com/understanding-indicat ors-of-compromise-ioc-part-i/ ]],[8 [
http://www.sans.org/reading-room/wh itepapers/forensics/ioc-indicators-compromise-malware-forensics-34200 ]],
[9 [
http://www.tripwire.com/state-of-security/security-data-protection/i ndicators-of-compromise-the-key-to-earlier-detection-of-breaches/ ]] IOCs
can be found above.
The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professio
nals recommend a defense in depth approach to mitigating risk to retail p ayment systems. While some of the risk mitigation recommendations are gen
eral in nature, the following strategies provide an approach to minimize
the possibility of an attack and mitigate the risk of data compromise:
*_Remote Desktop Access _*
* Configure the account lockout settings to lock a user account after a
period of time or a specified number of failed login attempts. This prev
ents unlimited unauthorized attempts to login whether from an unauthorize
d user or via automated attack types like brute force.[10 [
http://techne t.microsoft.com/en-us/library/cc737614%28v
ws.10%29.aspx ]]
* Limit the number of users and workstation who can log in using Remote
Desktop.
* Use firewalls (both software and hardware where available) to restric
t access to remote desktop listening ports (default is TCP 3389).[11 [ ht tps://security.berkeley.edu/node/94 ]]
* Change the default Remote Desktop listening port.
* Define complex password parameters. Configuring an expiration time an
d password length and complexity can decrease the amount of time in which
a successful attack can occur.[12 [
http://technet.microsoft.com/en-us/l ibrary/cc780271%28v
ws.10%29.aspx ]]
* Require two-factor authentication (2FA) for remote desktop access.[13
[
http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf
]]
* Install a Remote Desktop Gateway to restrict access.[14 [
http://tech net.microsoft.com/en-us/library/dd983949 ]]
* Add an extra layer of authentication and encryption by tunneling your
Remote Desktop through IPSec, SSH or SSL.[15 [
http://technet.microsoft. com/en-us/network/bb531150 ]],[16 [
http://technet.microsoft.com/en-us/ma gazine/ff458357.aspx ]]
* Require 2FA when accessing payment processing networks. Even if a vir
tual private network is used, it is important that 2FA is implemented to
help mitigate keylogger or credential dumping attacks.
* Limit administrative privileges for users and applications.
* Periodically review systems (local and domain controllers) for unknow
n and dormant users.
*_Network Security _*
* Review firewall configurations and ensure that only allowed ports, se rvices and Internet protocol (IP) addresses are communicating with your n etwork. This is especially critical for outbound (e.g., egress) firewall
rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrat
e data to their IP addresses.
* Segregate payment processing networks from other networks.
* Apply access control lists (ACLs) on the router configuration to limi
t unauthorized traffic to payment processing networks.
* Create strict ACLs segmenting public-facing systems and back-end data
base systems that house payment card data.
* Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
* Implement tools to detect anomalous network traffic and anomalous beh
avior by legitimate users (compromised credentials).
*_Cash Register and PoS Security _*
* Implement hardware-based point-to-point encryption. It is recommended
that EMV-enabled PIN entry devices or other credit-only accepting device
s have Secure Reading and Exchange of Data (SRED) capabilities. SRED-appr
oved devices can be found at the Payment Card Industry Security Standards
website.
* Install Payment Application Data Security Standard-compliant payment applications.
* Deploy the latest version of an operating system and ensure it is up
to date with security patches, anti-virus software, file integrity monito
ring and a host-based intrusion-detection system.
* Assign a strong password to security solutions to prevent application
modification. Use two-factor authentication (2FA) where feasible.
* Perform a binary or checksum comparison to ensure unauthorized files
are not installed.
* Ensure any automatic updates from third parties are validated. This m
eans performing a checksum comparison on the updates prior to deploying t
hem on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum val idation.
* Disable unnecessary ports and services, null sessions, default users
and guests.
* Enable logging of events and make sure there is a process to monitor
logs on a daily basis.
* Implement least privileges and ACLs on users and applications on the system.
References
* [1] Windows Remote Desktop [
http://apps.microsoft.com/windows/en-us/ app/remote-desktop/051f560e-5e9b-4dad-8b2e-fa5e0b05a480 ]
* [2] Apple Remote Desktop [
https://www.apple.com/remotedesktop/ ]
* [3] Chrome Remote Desktop [
https://chrome.google.com/webstore/catego ry/apps?hl
en ]
* [4] Splashtop [
http://www.splashtop.com/downloads-all ]
* [5] Windows Pulseway [
http://apps.microsoft.com/windows/en-gb/app/pc -monitor/9efc1d1c-6816-48bc-8de7-d4b21a5b3589 ]
* [6] LogMeIn Official Site [
https://secure.logmein.com/ ]
* [7] Understanding Indicators of Compromise (IOC) [
https://blogs.rsa. com/understanding-indicators-of-compromise-ioc-part-i/ ]
* [8] Using Indicators of Compromise in Malware Forensics [
http://www. sans.org/reading-room/whitepapers/forensics/ioc-indicators-compromise-mal ware-forensics-34200 ]
* [9] Indicators of Compromise: The Key to Early Detection [
http://www .tripwire.com/state-of-security/security-data-protection/indicators-of-co mpromise-the-key-to-earlier-detection-of-breaches/ ]
* [10] Configuring Account Lockout [
http://technet.microsoft.com/en-us /library/cc737614%28v
ws.10%29.aspx ]
* [11] Securing Remote Desktop for System Administrators [
https://secu rity.berkeley.edu/node/94 ]
* [12] Account Lockout and Password Concepts [
http://technet.microsoft .com/en-us/library/cc780271%28v
ws.10%29.aspx ]
* [13] NIST Guide to Enterprise Telework and Remote Access Security [ h ttp://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf ]
* [14] Installing RD Gateway [
http://technet.microsoft.com/en-us/libra ry/dd983949 ]
* [15] Networking and Access Technologies [
http://technet.microsoft.co m/en-us/network/bb531150 ]
* [16] Secure RDS Connections with SSL [
http://technet.microsoft.com/e n-us/magazine/ff458357.aspx ]
Revision History
* July, 31 2014 - Initial Release
* August 18, 2014 - Minor revision to remote desktop solutions list
* August 22, 2014 - Changes to the Overview section ________________________________________________________________________
________________________________________________________________________
This email was sent to
certecho@net396.fidonet.org using GovDelivery, on
behalf of: United States Computer Emergency Readiness Team (US-CERT)
245 Murray Lane SW Bldg 410 Washington, DC 20598 (703) 235-5110
Powered by GovDelivery [
http://www.govdelivery.com/portals/powered-by ]
-+-
+ Origin: FidoNet<>Internet Gateway -Huntsville AL- USA- (1:396/3)
=-=-=-=-=-=-=-= .END of Forwarded message =-=-=-=-=-=-=-=
--
Guardien Fide :^)
Ben aka cMech Web:
http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page:
http://users.lusfiber.net/~fido4cmech
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1
--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)