The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable.
We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malware.
The malware samples that we’ll be analyzing are the following:
File name MD5
Epson.exe 69E361AC1C3F7BCCE844DE43310E5259
Wnhelp.exe D4A646841663AAC2C35AAB69BEB9CFB3
Epson.exe presents an invalid certificate:
Both samples were compiled with Microsoft Visual C ++ 8, and are not packaged or encrypted. Once the malware is executed in the system, it proceeds to analyze the different system processes in search of credit cards.
Here we can see how they go through the different processes looking only for those that can contain credit cards in memory:
In the case of the “Epson.exe” sample, it will search for credit cards in the following processes:
| Program name | Description |
| notepad++.exe | Text editor |
| CreditCardService.exe | Microsoft |
| DSICardnetIP_Term.exe | NETePay for Mercury |
| DSIMercuryIP_Dial.exe | NETePay for Mercury |
| EdcSvr.exe | Aloha Electronic Draft Capture (EDC) |
| fpos.exe | Future POS |
| mxSlipStream4 / mxSlipStream5 / mxSlipStream.exe / mxSwipeSVC.exe | SlipStream POS System Transaction Processor by mXpress |
| NisSrv.exe | Windows 8 |
| spcwin.exe/ Spcwin.exe / SPCWIN.exe /SPCWIN.EXE | POSitouch (Food Service Industry POS System) |
On the other hand, the “Wnhelp.exe” sample contains a list that is used to discard the processes to be analyzed. If the process name coincides with any item on the list, it will not be analyzed in the search for credit cards:
| Discarded processes: | |
| explorer.exe | alg.exe |
| chrome.exe | wscntfy.exe |
| firefox.exe | taskmgr.exe |
| iexplore.exe | spoolsv.exe |
| svchost.exe | QML.exe |
| smss.exe | AKW.exe |
| csrss.exe | OneDrive.exe |
| wininit.exe | VsHub.exe |
| steam.exe | Microsoft.VsHub.Server.HttpHost.exe |
| devenv.exe | vcpkgsrv.exe |
| thunderbird.exe | dwm.exe |
| skype.exe | dllhost.exe |
| pidgin.exe | jusched.exe |
| services.exe | jucheck.exe |
| winlogon.exe | lsass.exe |
In both samples, once the process it wishes to analyze is obtained, whether because it was contained on the list – as with Epson.exe – or because it was discarded – as with Wnhelp.exe – it will create a new thread:
And will then proceed to analyze the memory using an algorithm specifically designed to check whether the found data is from credit cards:
The Wnhelp.exe sample is executed by the attackers with the command “install”, in such a way that it creates a service to ensure its persistence in the system:
The service is called “Windows Error Reporting Service Log”.
The sample Epson.exe works in the same way, although attackers can configure the name of the service as they want through parameters:
install [Service name] [Service description] [Third parameter]
Each variant connects to a different command and control (C&C) server:
| Epson.exe | dropalien.com/wp-admin/gate1.php |
| Wnhelp.exe | www.rdvaer.com/ wp-admin/gate1.php |
They can then receive different orders from the attacker:
| Commands | Description |
| update = [URL] | Malware update. |
| dlex = [URL] | Downloads and runs file. |
| chk = [CRC_Checksum] | Updates the file’s checksum. |
To connect the control panel, they use the following UserAgent:
“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22”
The communication is carried out by an SSL. The malware modifies the internet connection configuration to ignore unknown CAs (Certificate Authorities), thereby ensuring that it will be able to use its own certificate.
First it obtains the internet connection security flags through the InternetQueryOptionA API with the third argument set to the value INTERNET_OPTION_SECURITY_FLAGS (31). Once obtained, it carries out a binary OR with the flag SECURITY_FLAG_IGNORE_UNKNOWN_CA (100h).
Conclusion: How to Confront a POS Attack
Attacks on POS terminals are still very popular, especially in countries like the United States where the use of Chip & PIN is not mandatory. Many of these attacks target businesses that do not have specialized personnel in computer science, much less in security, an oversight that attackers can take advantage of.
POS terminals are computers that handle critical data and therefore must be fortified to the maximum in order to shield customer data from the inherent risks. Solutions such as Adaptive Defense 360 help to ensure that no malicious process is executed in these terminals. There is no need to hire a security specialist, because the solution includes Panda Security’s own technicians, who will be responsible for ensuring that everything all executed processes are safe.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
8 comments
Am new here, hope to learn more
Welcome to the Panda family, Raphael!
Kind regards,
Panda Security.