MalumPOS

History and Characteristics

TrendLabs Security Intelligence Blog

Jay Yaneza
Trend Micro Threats Analyst

June 2015





 

 

 

 

 ................................................................................................................................................ 3 

 ............................................................................................................................................. 3 

 .............................................................................................................................. 3 

 ......................................................................................................................... 3 

 ................................................................................................................. 6 

 ........................................................................................................................................ 8 

 ..................................................................................................................................... 9 

 .......................................................................................................... 11 

................................................................................................................................................... 11 

 

TREND MICRO LEGAL DISCLAIMER 

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The 

information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted 

upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro 

reserves the right to modify the contents of this document at any time without prior notice. 

Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related 

to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not 

binding and have no legal effect for compliance or enforcement purposes. 

Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as 

to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro 

disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for 

any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, 

use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance 

for use in an “as is” condition. 



 

 

 

                                                           

http://www.oracle.com/us/corporate/acquisitions/micros/index.html

http://www.oracle.com/us/corporate/acquisitions/micros/index.html


 

 

 

 

 

 

Trend Micro Technical Brief | MalumPOS: History and Characteristics

The targeted processes, as well as the location of the saved information, are set via a downloaded
configuration file:

e Upto 100 processes can be targeted

e Inthe samples we've seen, the scraped credit card information is saved in the file named
C:\Windows\system32\nvsvc.dil. Like the scraper itself, this is named to appear to be part of
NVIDIA drivers. The contents of the file are encrypted.

if ( DuplicateHandle(hCurrentProcess1, hCurrentThread, hCurrentProcess, hServiceHandle, 8, 6, 2u) }
<
xhServiceEvent = CreateEventaA(6, -1, 6, 6);
if ( *hServiceEvent )
<
UpdateServiceStatus(4u);
dwThreadid = 6;
InitService(); #/ Initialize (Load configuration)
while ( WaitForSingleObject(*hServiceEvent, 6x1388u) == 258 }
<
f/ Start a thread for memory scrapper
hScrapperthread = CreateScrapperThread(6, 6, (int)MemoryScrapper, (DWORD *)&dwihreadid, 6, 6);
CloseHandle_6(hScrapperThread);5

WaitForSingleObject(hScrapperthread, GOxFFFFFFFF);

}

ReleaseTStringList(); |
CloseHandle_ 6(*lpTargetHandle) ;
*lpTargetHandle = 6;
CloseHandle_6{*hServiceEvent);
sxhServiceEvent = 6;

result = UpdateServiceStatus(1u);

Figure 2. Main thread of MalumPOS

The configuration file is loaded at the beginning, as can be seen in the screenshot below.

004
004 ; i
00413400 : 4100
004 } 8S 4E0FFFFF
4B94100
4100

“nysye.dll"

94694100

BEOEFFFF

4100
"TMHPLOGS"

Figure 3. Configuration loading of MalumPOS





 

 

 

 

 

 

Trend Micro Technical Brief | MalumPOS: History and Characteristics

The scraper then goes through up to 100 running processes to look for data that can be scraped.

if ¢ fProcess32First((int)hObject, (int)&pPROCESSENTRY32) )
<
do
<
dwlount = 166; #/ Waximum Number is 1686
asSearchProcess = (int *)asMatchArray;
do
<
LStrFromfrray((intj&asExecFile, (int)&szExeFile, 266);
LowerCase(asExecFile, (int)&asProcessName);
LowerCase(*asSearchProcess, (int)&asMatchProcess);

Str€mp(asProcessName, asMatchProcess); // Check ProcessName
if ¢ bMatched )}
<
if € *asSearchProcess |
‘ hProcess = OpenProcess(@x1F6FFFu, 6, dwProcessid);
if ¢ hProcess )
<

Figure 4. Looks for 100 processes at a time

A simple substitution cipher is used to encrypt the contents of the file containing the stolen
information.

char *_usercall EncryptFunction@<eax>{char *data@<eax>)

<
signed int EOF; // edxf@2
if ¢ *(_DWORD *)data )}
<
data = checkResult(*(€char **)data)j;
EOF = ¢€signed int)&data[*(¢_ DWORD *)data - 1)];
while ¢ (signed int)data <= EOF )
<
xdata = (*lookupTable)[(€unsigned _int8)*data];
++data;5
}
}
return data;
. +

Figure 5. The encryption function

C:\Workspace>type c:\windows\system32\nusuc.dll

ELLELLELSELLEze (CxdCNCxdC (Ett &

Figure 6. Example of the scraped data

The configured storage file would then be later collected and deciphered with the use of a look-up table.





 

 

 

 

 

 

 

ISO/IEC 7813

                                                           

http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43317

http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43317


 

 

((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-

z\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1}))

 

([3-9]{1}[0-9]{14,15}[D=](1[1-9])((0[1-9])|(1[0-2]))[0-9]{8,30})

 



 

 

white paper on PoS RAM scraper malware

 

 

 

 

 

 

 

 

                                                           

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-
ram-scraper-malware.pdf

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf


 

 

 

 

Trend Micro Technical Brief | MalumPOS: History and Characteristics

bool GetHemoryDumpAPI()

<
if ( thLibrary )
<

hLibrary = GetModuleHandleA_1(“kernel32.d11");
if ¢ hLibrary )

4

}

pCreateToolhelp32SnapShot = (int (__stdcall *)(_DWORD, _DWORD))GetProchddress_6¢
hLibrary,
“CreateToolhelp32Snapshot") ;
pHeap32ListFirst = (int)GetProcAddress_6(hLibrary, “Heap32ListFirst");
pHeap32ListNext = (int)GetProcAddress_6{hLibrary, "Heap32ListNext");
pHeap32First = (int)GetProcAddress_6(hLibrary, “Heap32First");
*( DWORD *)pHeap32Next = GetProcAddress_ 6(hLibrary, “Heap32Next");
x*(_DWORD «)pToolhelp32ReadProcessMemory = GetProcAddress 6(hLibrary, “Toolhelp32ReadProcesstemory") ;
pProcess32First = (int (__stdcall *)(_DWORD, _DWORD))GetProcAddress_6(hLibrary, “Process32First");
pProcess32Next = (int (_ stdcall *)(_DWORD, _DWORD))GetProcAddress_O{hLibrary, “Process32Next");
pProcess32FirstW = (int)GetProcAddress_6(hLibrary, “Process32FirstW");
pProcess32NextW = (int)GetProcAddress_6(hLibrary, ‘“Process32NextW");
pThread32First = (int)GetProcAddress_6(hLibrary, “Thread32First");
pThread32Next = (int)GetProcAddress_6(hLibrary, “Thread32Next");
pModule32First = (int)GetProcAddress_6(hLibrary, “Module32First");
pModule32Next = (int)GetProcAddress_6(hLibrary, “Module32Next"');
pModule32FirstW = (int)GetProcAddress 6{hLibrary, “Module32Firstw");
pModule32NextW = (int)GetProcAddress_6(hLibrary, “Module32Nextw");

}
return hLibrary && pCreateToolhelp32SnapShot;

Figure 11. Dynamically loading APIs

While these two facts were attempts to hide the binaries related to MalumPOS, they can also be used as
characteristics to identify and single out files related to this family.

Improved Variants

In analyzing the main PoS scraper, we also encountered two similar files from the same the threat
actor, one that looked like a test binary (shal: fe713f9bb90b999250c3b6a3bba965d603de32a3), and
another with an attempt to act as a client stub in a client-server implementation (shal:
d0b3562d868694fd1147e15483f88f3a78ebedfb). We have included the first file within our detection of
TSPY_MALUMPOS.SM, but let’s take a few moments to look into what seems to be a client-server
version of which we were able to analyze the client stub.

The client-server version functions very similarly to the main PoS scraper, but it is clear that the threat
actor wanted to have means of remote control.





 

 

Trend Micro Technical Brief | MalumPOS: History and Characteristics

LEA EA

is)
is)
is)
is)
A
A
A
A
A
A
is)
is)
BES

ma
I

Gy Ge

NOW EC
MOWED
OW EC

"log. imni™

"Error

"Inte
"PARAMS

Figure 12. Client-server version of MalumPOS

The settings of the client-server version require a file called “log.ini” for it to function. This file would

contain the following settings:

[PARAMS]
Name=AAAAA
InterfacesIP=11.11.1.1.1

Port=80

Notes:
// to identify the affected endpoint
//\P address of the server

// TCP port number where the server
would be listening on

The file “log.ini” would be further populated with the processes it has already evaluated, and then it
would send similar information to the configured IP and port. While we are currently not sure if the
aforementioned client stub TSPY_MALUMPOS.A is actively being widely used, it is already functional in
its current state. If this would be used, then the whole infection would be complete with the data
exfiltration phase as the information would be sent back to the configured IP address.





 

 

Trend Micro  Deep Discovery Endpoint Sensor

Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies

 

 

 
 

 

 

 
 

 

                                                           

http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/defending-against-pos-ram-
scrapers-strategies-and-technologies

http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/index.html#endpoint-protection
http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/index.html#endpoint-protection
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/defending-against-pos-ram-scrapers-strategies-and-technologies
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/defending-against-pos-ram-scrapers-strategies-and-technologies


 

 

 

 

 

Trend Micro Technical Brief | MalumPOS: History and Characteristics

On the other hand, these indicators are part of a seemingly “test” phase for the threat actor:

Filename Hash Detection Notes
rdp.exe | fe713f9bb90b999250c3b6a3bba965d603de32a3 | TSPY_MALUMPOS.SM Looks like a test
winini.exe | d0b3562d868694fd1147e15483f88f3a/ 8ebedfb TSPY_MALUMPOS.A Client stub

The YARA rule:

rule PoS_Malware_MalumPOS : MalumPOS
{
meta:
author = "Trend Micro, Inc."
date = "2015-05-25"
description = "Used to detect MalumPOS memory dumper"
sample_filetype = "exe"
strings:
Sstringl] = "SOFTWARE\\Borland\\Delphi\\RTL"
Sstring2 = "B)[0-9]{13,19}\\"
Sstring3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\"
Sstring4 = "TRegExpr(exec): ExecNext Without Exec[Pos]"
Sstring5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ nocase
condition:
all of (Sstring*)

}





 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Trend Micro Incorporated, a global leader in security software, strives to make the world safe 

for exchanging digital information. Our innovative solutions for consumers, businesses and 

governments provide layered content security to protect information on mobile devices, 

endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based 

global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported 

by over 1,200 threat experts around the globe. For more information, visit 

www.trendmicro.com. 

©2015 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-

ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other 

product or company names may be trademarks or registered trademarks of their owners. 

10101 N. De Anza Blvd. 

Cupertino, CA 95014 

U.S. toll free: 1 +800.228.5651 

Phone: 1 +408.257.1500 

Fax: 1 +408.257.2003