TrendLabs Security Intelligence BlogJay YanezaTrend Micro Threats AnalystJune 2015


-----

Introduction

................................................................................................................................................ 3 Threat Details

............................................................................................................................................. 3 Attack Methodology

.............................................................................................................................. 3 MalumPOS Capabilities

......................................................................................................................... 3 Use of Regular Expressions

................................................................................................................. 6 Stealth Attempts

........................................................................................................................................ 8 Improved Variants

..................................................................................................................................... 9 Solutions and Recommendations

.......................................................................................................... 11 Indicators

................................................................................................................................................... 11

TREND MICRO LEGAL DISCLAIMER

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The
information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted
upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro
reserves the right to modify the contents of this document at any time without prior notice.

Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related
to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not
binding and have no legal effect for compliance or enforcement purposes.

Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as
to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro
disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for
any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to,
use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance
for use in an “as is” condition.


-----

Figure 1.Installed service of MalumPOSMalumPOS CapabilitiesMalumPOS is written in the Delphi programming language. It can monitorrunning processes on an affected system, and scrapethe memory contents of targeted processes.


1Oracle Corporation. (2014). Oracle and MICROS Systems. Last accessedon June 05, 2015,

[http://www.oracle.com/us/corporate/acquisitions/micros/index.html.](http://www.oracle.com/us/corporate/acquisitions/micros/index.html)


html.


-----

- Up to 100 processes can be targeted

- In the samples we’ve seen, the scraped credit card information is saved in the file named C:\Windows\system32\nvsvc.dll. Like the scraper itself, this is named to appear to be part of NVIDIA drivers. The contents of the file are encrypted.


Figure 2.Main thread of MalumPOSThe configuration file is loaded at the beginning, as can be seen in the screenshot below.


Figure 3.Configuration loading of MalumPOS


-----

Figure 4.Looks for 100 processes at a timeA simple substitution cipher is used to encrypt the contents of the file containing the stolen information.



- Figure 5.The encryption function



- Figure 6.Example of the scraped dataThe configured storage file would then be later collected and deciphered with the use of a look-up table.


-----

Figure 7.Look-up table used to decrypt the scraped dataThe encryption attempts to hide the data on the system machine, as the stolen information requires decryption to be viewed by an analyst.The memory dumping procedure itself is slightly different compared to other PoS threats. The procedure flows as follows.a.


The CreateToolHelp32Snapshot would be dynamically imported and the API address would be saved for reuse. b.

It searches all matched processes and save into a list.c.
It would proceed to check the list one by one and scrapecredit data into a secondary list;the data is encrypted at same time.d.

If the secondary list isn’t empty, it would proceed to write data into the configured data storage file(i.e., nvsvc.dll). Use of Regular ExpressionsIn order to detect potential credit card information, MalumPOS uses regular expressions (regexes) to search for strings that match credit card numbersand other information relevant to attackers.Magnetic stripe cards store this information in a format defined by the

2International Organization for Standardization. (2013). Standards Catalogue. “ISO/IEC7813:2006.”Last accessed on June 05, 2015,


ISO/IEC 7813:2006.2Two separate magnetic tracks are used, which requires the usage of two regexes. The use of regexes to gather information about credit cardtransactions is a common practice used by many PoS malware families.


etail_ics.htm?csnumber=43317.


-----

((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Zaz\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1}))is illustrated below.

([3-9]{1}[0-9]{14,15}[D=](1[1-9])((0[1-9])|(1[0-2]))[0-9]{8,30})is used. This is illustrated in the diagram below.


Figure 8.Regular expression used for Track 1 data, visualized with http://regexper.com/It skips the Start sentinel (usually “%”) and immediately starts with the format code “B”to indicate credit/debit card. After that, it matches the primary account number (PAN) then matches the name. The next section (seen in Figure 8 as group #3) is the “expiration date” that effectively matches cardsthat expires between the years 2011 and2019. The rest of the numbers (service code, discretionary data) are matched normally, and the end sentinel (generally “?”) is skipped.For Track 2, the regex

Figure 9.Regular expression used for Track 2 data, visualized with http://regexper.com/It skips the start sentinel (usually “;”) and ensures that the start of the credit card number starts in a value between 3 and 9. This way, MalumPOS selectively looks for Visa (starts with 41), MasterCard (starts with 51), American Express (starts with 30, 34,or 37), Discover Cards (starts with 60 or 65), Diner’s Club (starts with 30, 36, or 38), and some JCB cards (starts with 35). The “expiration date” (seen in Figure 9 as group #2) only matches cardsthat expires between the years 2011 and2019. It then proceeds to evaluate the service code and discretionary data normally, and the end sentinel (generally “?”) is skipped from matching.By modifying the ranges being used in the definition of the regular expression that is meant to match credit card data, the threat actors who use MalumPOS effectively validated the expiration dates of the credit cards,as well as the targeted specific credit card lines.


-----

white paper on PoS RAM scraper malware.3

The main scraper is installed as a service, and installed with an “install”switch2.

Selectively inspects processes that have been hardcoded (or, in this case, configured) within the binary3.

It calls OpenProcess to obtain a handleto the specified target process4.

There is an overlap with the target industry: Rdasrv is seen to target processes of PoSsystems within the food services and hospitality industries; MalumPOS within the hospitality industry5.

As there is no data exfiltration functionality, the configured data storage file is probably collected by the threat actorwith some other piece of malware.This suggests that MalumPOS and Rdasrv are somehow linked, although this cannot be fully proven. What is clear is that the persons operating MalumPOS had prior information about their target’s environment as theyare able to customize binaries based on the target’s PoSsystems, plant them within the target’s environment, and manually collect the stored data.Stealth AttemptsMalumPOS uses various techniques in order to prevent itself from being detected. To some degree, these techniques are not particularly sophisticated and are an attempt to hide in “plain sight.”As mentioned earlier, MalumPOS uses filenames that are designed to make it look like part of legitimate NVIDIA software. It also uses the following techniques:1.

The files collected have an old time stamp: 1992-06-19 17:22:17. While this attempt would be effective for incident responders who are looking for newer files dropped in the system, it made it very obvious once the file is analyzed.2.

Some of the APIs are loaded dynamically;imported APIs are processed via GetProcAddress. This is a visible and perhaps basic attempt to avoid evade-static analysis tools.

3Numaan Huq. (2014). Trend MicroSecurity Intelligence. “PoS RAM Scraper Malware: Past, Present, and Future.” Last accessedon June 05, 2015,


Figure 10.The regex of Rdasrv is the same withMalumPOSThe similarities between MalumPOS and Rdasrv became more apparent upon closer inspection:1.


[http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf)
[ram-scraper-malware.pdf.](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf)


[http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf)


.


-----

Figure 11.Dynamically loading APIsWhile these two facts were attempts to hide the binaries related to MalumPOS, they can also be used as characteristics to identify and single out files related to this family.


Improved VariantsIn analyzing the main PoS scraper, we also encountered two similarfiles from the same the threat actor,one that looked like a test binary (sha1: fe713f9bb90b999250c3b6a3bba965d603de32a3), and another with an attempt to act as a client stub in a client-server implementation (sha1: d0b3562d868694fd1147e15483f88f3a78ebedfb). We have included the first file within our detection of TSPY_MALUMPOS.SM, but let’s take a few moments to look into what seems to bea client-server versionof which we were able to analyze the client stub.The client-server version functions very similarly to the main PoS scraper, but it is clear that the threat actor wanted to have means of remote control.


-----

-----

Trend Micro™ Deep Discovery Endpoint Sensor.4For more detailsabout PoS malware and how to enhance your security posture, please read “

Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.”5Indicators

# The following indicators are used by the threat actor for the main PoS phase:FilenameHashDetectionTargetsmnv.exe757ae5eed0c5e229ad9bae586f1281b5de053767TSPY_MALUMPOS.SM

Oracle Forms processnvsvc.exe2cf2f41d2454b59641a84f8180fd7e32135a0dbcTSPY_MALUMPOS.SM

MICROS 9700 VISAD Driver

Oracle Forms processnvsvc.exe798bc2d91293c18af7e99ba7c9a4fd3010051741TSPY_MALUMPOS.SM

Web-based PoS systems accessed through Microsoft™Windows®Internet Explorernvsvc.exe90e85b471b64667dbcde3aee3fa504c0d4b0ad35TSPY_MALUMPOS.SM

Shift4 Corporation Universal Transaction Gateway

4Trend Micro Incorporated. (2014). Trend Micro Security and Risk Management. “Trend Micro Deep Discovery Endpoint Sensor.” Last accessed on June 05, 2015, http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/index.html#endpoint-protection.5Trend Micro Incorporated. (March 11, 2015). TrendMicroSecurity Intelligence. “Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.” Last accessed on June 05, 2015,

[http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/defending-against-pos-ram-](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/defending-against-pos-ram-scrapers-strategies-and-technologies)
[scrapers-strategies-and-technologies.](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/defending-against-pos-ram-scrapers-strategies-and-technologies)

|Col1|Col2|Col3|Col4|
|---|---|---|---|
|||Oracle Forms processnvsvc.exe2cf2f41d2454b59641a84f8180fd7e32135a0dbcTSPY_MALUMPOS.SM||
|||MICROS 9700 VISAD Driver|MICROS 9700 SSL GWnvsvc.exef720bf7d6dbfc4c7bea21d6a3fd0b88f4fe52a4aTSPY_MALUMPOS.SM|
|||Oracle Forms processnvsvc.exe798bc2d91293c18af7e99ba7c9a4fd3010051741TSPY_MALUMPOS.SM||
|||Web-based PoS systems accessed through Microsoft™Windows®Internet Explorernvsvc.exe90e85b471b64667dbcde3aee3fa504c0d4b0ad35TSPY_MALUMPOS.SM||
|||Shift4 Corporation Universal Transaction Gateway|PAR Springer-Miller Systems|


-and-digital-threats/defending-against-pos-ram-


MICROS 9700 VISAD Driver


Web-based PoS systems accessed through Microsoft™Windows®Internet Explorernvsvc.exe90e85b471b64667dbcde3aee3fa504c0d4b0ad35TSPY_MALUMPOS.SM


.


-----

The YARA rule:rule PoS_Malware_MalumPOS : MalumPOS{meta:    author = "Trend Micro, Inc."    date = "2015-05-25"    description = "Used to detect MalumPOS memory dumper"    sample_filetype = "exe"strings:    $string1 = "SOFTWARE\\Borland\\Delphi\\RTL"    $string2 = "B)[0-9]{13,19}\\"    $string3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\"    $string4 = "TRegExpr(exec): ExecNext Without Exec[Pos]"    $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ nocasecondition:    all of ($string*)}


-----

Trend Micro Incorporated, a global leader in security software, strives to make the world safe
for exchanging digital information. Our innovative solutions for consumers, businesses and
governments provide layered content security to protect information on mobile devices,
endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based
global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported
by over 1,200 threat experts around the globe. For more information, visit
www.trendmicro.com.


10101 N. De Anza Blvd.
Cupertino, CA 95014


U.S. toll free: 1 +800.228.5651

©2015 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t- Phone: 1 +408.257.1500
ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other Fax: 1 +408.257.2003
product or company names may be trademarks or registered trademarks of their owners.


-----