The popularity of my last blog post on "how" POS malware functions was honestly a bit of a surprise to me, so I am following it up with another blog post covering the "advanced Target malware" (as I have heard many other "experts" call it) and seeing what information I can pull out of the sample using open source tools. A large portion of my post and research was inspired after reading a very good write-up from Mark Yason,
which you should definitely read if you have not already done so. After reading his post, I wondered how the comparison of the findings of Mark, and others, compared to the results of freely available tools. In other words, if you do not have much malware reverse engineering experience, exactly how much information can you discover if you have a little bit of time and access to free tools?
The first thing that I did was manage to acquire the malware sample itself (md5sum: ce0296e2d77ec3bb112e270fc260f274), which took quite a bit of digging. Once I finally did find it, I uploaded the sample to VirusShare, where you can download for yourself if you have an account (and if you do not have an account, you should definitely request one). Once that was done I took a look at the file using PeStudio (download) from Marc Ochsenmeier to see what information I could pull out of the malware.
Using PeStudio I was able to determine there were several indicators that the file was malicious, the compile time of "Thu Nov 28 18:08:01 2013", some strings of interest, and even the possible original project path of the malware.
PeStudio initial findings |
A couple strings of interest, including possible project path |
Brian Baskin's Noriben (background)(download)
- Requires ActiveState Python 3.3.2.0 (download) and Sysinternals Process Monitor (download)
I created some fake Track1 and Track2 data in a text file. Since the Target malware was specifically targeting the executable "pos.exe", I copied notepad.exe from the C:/Windows folder to the desktop and renamed it "pos.exe" and opened my text file of fake card data by dragging it onto "pos.exe" executable. Although the executable functioned exactly the same as notepad, this method made it appear that "pos.exe" was running and contained Track1 and Track2 data in memory. Once that was done, it was time to use Noriben to see what data I could extract from the system. Having already installed Active State Python, it was simply a matter of running Noriben and waiting to see what the Noriben/Process Monitor combination would reveal. I entered the command to kick off Noriben and once the program told me it was ready, I double-clicked on the malware, which I named "kaptoxa.exe". Surprisingly the malware did not delete itself, "hide" itself from the Windows GUI interface, or anything; it remained sitting on the desktop. (My first definitive indication that this piece of malware was by no means "advanced")
After about a minute I saved the fake card data to two files, foo.txt and foo2.txt, in an effort to try to coax more of the data to be loaded into the fake "pos.exe" process, just in case. Once I was satisfied, I exited Noriben and waited for the results. Not surprisingly, Noriben extracted ALL of the information that I was hoping to see. It confirmed all of the findings that I have seen published on the Target malware to date. Every single piece of it, including the exfiltration commands sending the data to another computer, with the "domain/username password" credentials "ttcopscli3acs\Best1_user BackupU$r" (surely I am not the only one that finds the irony in the most complex string, by far, in the domain-username-password combination is the domain name). I was even able to easily find the "winxml.dll" file in the C:\Windows\System32" folder where the malware stored the Base64 encoded Track1 and Track2 data!
Noriben created processes (note net use, internal IP addresses, paths, domain-username-passwords, and file naming scheme) |
Noriben file activity |
Noriben registry activity (note POSWDS\Image Path is the full path to where the malware resides) |
Noriben network traffic |
winxml.dll in C:\Windows\System32 (file logging Base64 encoded Track data) |
Contents of "winxml.dll" file (Base 64 encoded Track data) |
Great post and use of tools!
ReplyDeleteThanks Lance, I really appreciate it!
DeleteBrian, Great stuff! Since reading your blog posts, PeStudio has been added to my list of tools. Time to setup my own environment for testing!
ReplyDeleteThanks Brad! PeStudio is a great tool, Marc has put a lot of work into it and it is great for on-site triage/information gathering of suspected malware.
DeleteExcellent post, my friend! Think I might duplicate your work to see it all for myself first hand. Thanks for providing such excellent detail.
ReplyDeleteKP
Thanks Ken, by all means go for it! The sample is up on VirusShare, so have at it! Just remember to try to have some fake Track1 & Track2 data present in memory for a process called "pos.exe" :)
DeleteFor those curious 239.255.255.250 is in the range of multicast addresses. It's used by SSDP. I should probably hard code a reference to that IP into Noriben. Sometime in the future :)
ReplyDeleteGreat write up, Brian. I'm happy that Noriben was able to give you good results on this.
Thanks Brian, Noriben worked great! You don't have to add it to Noriben (unless you want to ;) of course).
DeleteI should have mentioned that in the post. And of course there are plenty resources out there to help you figure out what the IP address(es) are!
Heck, there is even a Brian Baskin IP to country code script floating around ;) https://github.com/Rurik/ip2cc
Great work, great post, still trying too learn more about this things
DeleteThanks! I tried to lay it out in an easy to follow methodology and link to all the tools (and listed where you can find the malware sample) so if anyone has some time they can replicate the environment and findings for themselves!
DeleteVery Nice!!
ReplyDeleteYou have post great information. I am regular reader of blog. Right Now Malware Reverse Engineering is provided better protection technique from virus and real time hacker to protect your personal information.Data security is necessary for everyone.
Keep up sharing....
Other than the PC running moderate, the machine is assumed control by the noxious programming. These infections mask themselves as hostile to infection application and will begin letting you know that your gadget is contaminated and that you have to tap on the showed catch to acquire an item that will "settle" the issue. types of malwares
ReplyDelete