The popularity of my last blog post on "how" POS malware functions was honestly a bit of a surprise to me, so I am following it up with another blog post covering the "advanced Target malware" (as I have heard many other "experts" call it) and seeing what information I can pull out of the sample using open source tools. A large portion of my post and research was inspired after reading a very good write-up from Mark Yason,
which you should definitely read if you have not already done so. After reading his post, I wondered how the comparison of the findings of Mark, and others, compared to the results of freely available tools. In other words, if you do not have much malware reverse engineering experience, exactly how much information can you discover if you have a little bit of time and access to free tools?
The first thing that I did was manage to acquire the malware sample itself (md5sum: ce0296e2d77ec3bb112e270fc260f274), which took quite a bit of digging. Once I finally did find it, I uploaded the sample to VirusShare, where you can download for yourself if you have an account (and if you do not have an account, you should definitely request one). Once that was done I took a look at the file using PeStudio (download) from Marc Ochsenmeier to see what information I could pull out of the malware.
Using PeStudio I was able to determine there were several indicators that the file was malicious, the compile time of "Thu Nov 28 18:08:01 2013", some strings of interest, and even the possible original project path of the malware.
|PeStudio initial findings|
|A couple strings of interest, including possible project path|
Brian Baskin's Noriben (background)(download)
- Requires ActiveState Python 220.127.116.11 (download) and Sysinternals Process Monitor (download)
I created some fake Track1 and Track2 data in a text file. Since the Target malware was specifically targeting the executable "pos.exe", I copied notepad.exe from the C:/Windows folder to the desktop and renamed it "pos.exe" and opened my text file of fake card data by dragging it onto "pos.exe" executable. Although the executable functioned exactly the same as notepad, this method made it appear that "pos.exe" was running and contained Track1 and Track2 data in memory. Once that was done, it was time to use Noriben to see what data I could extract from the system. Having already installed Active State Python, it was simply a matter of running Noriben and waiting to see what the Noriben/Process Monitor combination would reveal. I entered the command to kick off Noriben and once the program told me it was ready, I double-clicked on the malware, which I named "kaptoxa.exe". Surprisingly the malware did not delete itself, "hide" itself from the Windows GUI interface, or anything; it remained sitting on the desktop. (My first definitive indication that this piece of malware was by no means "advanced")
After about a minute I saved the fake card data to two files, foo.txt and foo2.txt, in an effort to try to coax more of the data to be loaded into the fake "pos.exe" process, just in case. Once I was satisfied, I exited Noriben and waited for the results. Not surprisingly, Noriben extracted ALL of the information that I was hoping to see. It confirmed all of the findings that I have seen published on the Target malware to date. Every single piece of it, including the exfiltration commands sending the data to another computer, with the "domain/username password" credentials "ttcopscli3acs\Best1_user BackupU$r" (surely I am not the only one that finds the irony in the most complex string, by far, in the domain-username-password combination is the domain name). I was even able to easily find the "winxml.dll" file in the C:\Windows\System32" folder where the malware stored the Base64 encoded Track1 and Track2 data!
|Noriben created processes (note net use, internal IP addresses, paths, domain-username-passwords, and file naming scheme)|
|Noriben file activity|
|Noriben registry activity (note POSWDS\Image Path is the full path to where the malware resides)|
|Noriben network traffic|
|winxml.dll in C:\Windows\System32 (file logging Base64 encoded Track data)|
|Contents of "winxml.dll" file (Base 64 encoded Track data)|