Upload
cyphort
View
425
Download
3
Embed Size (px)
DESCRIPTION
Backoff POS Malware - Bringing Criminals To Where The Money Is More than 1,000 US businesses have been infected this Trojan program designed specifically to steal credit and debit card data from point-of-sale (POS) systems. This is a deep dive into this malware to help you better protect your customer information.
Citation preview
Backoff POS MalwareBringing Criminals
To Where The Money Is
Your speakers today
Nick BilogorskiyDirector of Security Research
Shelendra SharmaProduct Marketing Director
Agenda
o Recent Point-of-sale breacheso BlackPOS recapo Dissecting FrameworkPOSo Dissecting Backoffo Conclusion and Mitigationo Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
Recent Breaches
POS malware
BlackPOS (Target)
FrameworkPOS (Home Depot)
Backoff POS bot (UPS Stores)
Recent POS Breaches
Nov 2013
Apr 2014
Sep 2014
BlackPOS
BlackPOS (Kaptoxa)
o November 2013o 40 million cards stoleno $500 Million total exposure to Target (Gartner)o Cards resold on Rescator forum
10
How Did The Target Breach Happen?
o Utility contractor’s Target credentials compromisedo Hackers accessed the Target networko Uploaded malware to a few POS systemso Tested malware efficacy and uploaded to the majority
of POS systemso Data drop locations across the world
Login from the HVAC contractor
Target’s POS updater server
Target’s internal server with fileshare
Credit card info transfer to internal fileshare
Card info infiltration using FTP to external drop location
Point of sale network
Compromised drop locations
Who wrote BlackPOS/Potato?
o The suspect in the breach is a person called “Rescator” aka “Hel”. He is part of a larger hacker network called “Lampeduza Republic”
o Rescator sold the stolen Target card info in bulk in underground markets at a price of $20-45 per card.
o Brian Krebs named Andrey Hodirevski from Ukraine as Rescator.
11
Hel
FRAMEWORKPOS
FRAMEWORKPOS
o April – Sep 2014o 56 Million cards leakedo Copy-cat attack, imitated BlackPOS.o Cards resold on Rescator forumo Likely different actors
FRAMEWORKPOS Anti-American motivation
o The malware contains links to articles and pictures that blame America’s in conflicts in Ukraine and Middle East
BlackPOS Workflow vs FrameworkPOS Workflow
15
1. Infect Systemo Adds to autostart via service
o POSWDS (Target)
o McAfee Framework Management Instrumentation (HD)
2. Steal Infoo Use memory scraping to
find credit card data
o Output to a file locally
o winxml.dll (Target)
o McTrayErrorLogging.dll (HD)
3. Exfiltrate Infoo Periodically scan the raw file
for updates
o Upload information to the FTP server
Backoff
Backoff
Backoff Backoff
Backoff
o Began in October 2013o Government found it and warned retailerso Not targetedo Protected by run-time packero Supports keyloggingo Communicates to a C&C, can update itself.
Backoff Execution
Source: Trustwave
nUndsa8301nskal
nsskrnl
Backoff CNC details
Command parsing function
Every 45 seconds Backoff malware connected to total-updates.com (81.4.111.176) and asked what to do:
Backoff Data Exfiltration
o Collects credit cards from memory scrapingo The data is RC4 encrypted and B64 encodedo Wait at least 45 seconds before sending outo Filters for VISA, MasterCard, and Discover cardso Uses the Luhn Algorithm to check the validity of the
account number
Manual imprinting
Chip-based smart credit cards: EMV
NFC – Apple Pay
What we learned
o Most likely each malware is made by different actors.
o Backoff is a large scale bot, with a POS scraping feature.
o FrameWorkPOS and BlackPOS were custom, targeted at dedicated victims.
o Criminals will always be where the money is at.
Mitigation tactics
o Proper risk assessment of company assetso Well planned network separationo Accurate threat level prioritizationo Minimalistic endpointso Checking for unfamiliar network callbackso Upgrade and patch
Q and A
o Information sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!