Backoff POS MalwareBringing Criminals

To Where The Money Is

Your speakers today

Nick BilogorskiyDirector of Security Research

Shelendra SharmaProduct Marketing Director

Agenda

o Recent Point-of-sale breacheso BlackPOS recapo Dissecting FrameworkPOSo Dissecting Backoffo Conclusion and Mitigationo Wrap-up and Q&A

Cyph

ort L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives

________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

Recent Breaches

POS malware

BlackPOS (Target)

FrameworkPOS (Home Depot)

Backoff POS bot (UPS Stores)

Recent POS Breaches

Nov 2013

Apr 2014

Sep 2014

BlackPOS

BlackPOS (Kaptoxa)

o November 2013o 40 million cards stoleno $500 Million total exposure to Target (Gartner)o Cards resold on Rescator forum

10

How Did The Target Breach Happen?

o Utility contractor’s Target credentials compromisedo Hackers accessed the Target networko Uploaded malware to a few POS systemso Tested malware efficacy and uploaded to the majority

of POS systemso Data drop locations across the world

Login from the HVAC contractor

Target’s POS updater server

Target’s internal server with fileshare

Credit card info transfer to internal fileshare

Card info infiltration using FTP to external drop location

Point of sale network

Compromised drop locations

Who wrote BlackPOS/Potato?

o The suspect in the breach is a person called “Rescator” aka “Hel”. He is part of a larger hacker network called “Lampeduza Republic”

o Rescator sold the stolen Target card info in bulk in underground markets at a price of $20-45 per card.

o Brian Krebs named Andrey Hodirevski from Ukraine as Rescator.

11

Hel

FRAMEWORKPOS

FRAMEWORKPOS

o April – Sep 2014o 56 Million cards leakedo Copy-cat attack, imitated BlackPOS.o Cards resold on Rescator forumo Likely different actors

FRAMEWORKPOS Anti-American motivation

o The malware contains links to articles and pictures that blame America’s in conflicts in Ukraine and Middle East

BlackPOS Workflow vs FrameworkPOS Workflow

15

1. Infect Systemo Adds to autostart via service

o POSWDS (Target)

o McAfee Framework Management Instrumentation (HD)

2. Steal Infoo Use memory scraping to

find credit card data

o Output to a file locally

o winxml.dll (Target)

o McTrayErrorLogging.dll (HD)

3. Exfiltrate Infoo Periodically scan the raw file

for updates

o Upload information to the FTP server

Backoff

Backoff

Backoff Backoff

Backoff

o Began in October 2013o Government found it and warned retailerso Not targetedo Protected by run-time packero Supports keyloggingo Communicates to a C&C, can update itself.

Backoff Execution

Source: Trustwave

nUndsa8301nskal

nsskrnl

Backoff CNC details

Command parsing function

Every 45 seconds Backoff malware connected to total-updates.com (81.4.111.176) and asked what to do:

Backoff Data Exfiltration

o Collects credit cards from memory scrapingo The data is RC4 encrypted and B64 encodedo Wait at least 45 seconds before sending outo Filters for VISA, MasterCard, and Discover cardso Uses the Luhn Algorithm to check the validity of the

account number

Manual imprinting

Chip-based smart credit cards: EMV

NFC – Apple Pay

What we learned

o Most likely each malware is made by different actors.

o Backoff is a large scale bot, with a POS scraping feature.

o FrameWorkPOS and BlackPOS were custom, targeted at dedicated victims.

o Criminals will always be where the money is at.

Mitigation tactics

o Proper risk assessment of company assetso Well planned network separationo Accurate threat level prioritizationo Minimalistic endpointso Checking for unfamiliar network callbackso Upgrade and patch

Q and A

o Information sharing and advanced threats resources

o Blogs on latest threats and findings

o Tools for identifying malware

Thank You!