Low-cost point of sales (PoS) hacking

Hacking point of sales (PoS) systems is a very trendy topic. A lot of PoS malware can be found in the wild (jackPOS, gamaPOS, Backoff, FighterPOS…). At every big breach of PoS systems, media talk about sophisticated attacks involving high skills and great tools. But sometimes, it can be very easy to compromise a PoS and no particular skills are required to steal sensitive information, such as credit card numbers.
During our investigation, we caught a very interesting case of “low-cost” PoS hacking. This article tries to unveil the inner process of infection.

Everything started with a Win32.Ardamax sample found in the wild. Ardamax is a classical sample which is a commercial keylogger available on the Internet.
After reversing this sample, it appears that the malware uploads data on a FTP server hosted in Germany, on server4you. This FTP can easily be accessed (login and password are embedded in the sample) and contains victims’ uploaded data.
This FTP seems to be used since the 9th of October 2014. The server is full of samples, tools and exfiltrated data.
We cannot publish the original sample, because Server4you has not shutdown the server yet.
Exfiltration server
This repository contains the original Win32.Ardamax sample, malwares (Darkomet, Andromeda, Gorynych…), some memory scrappers to retrieve credit card numbers and websites crawlers scan results.
On the same repository, we can find screenshots, microphone recordings, webcam pictures as well as keystroke recordings for each single infected computer.
Keylog result
Crooks have access to about fifteen point of sales computers as well as to some SCADA systems.

Belgium SCADA
Belgium SCADA
Cinema PoS
Cinema PoS
PoS
PoS
PoS
PoS
PoS
PoS
Brazilian gas pump
Brazilian gas pump

We spent a lot of time contacting CERTs and companies for cleaning computers but day after day new infected point of sales data were uploaded to the FTP repository.
How were crooks able to continuously find new targets to infect?
Amongst uploaded data, some screenshots caught our attention: somebody was using a VNC brute force tool against a large range of IP addresses.


The tool used by crooks can be retrieved from an archive uploaded to the VirusTotal website:
https://www.virustotal.com/fr/file/b6c3445386f053c1cca711c8389ac8b12d05aad46bbfec02d721428442cd2ed5/analysis/1442602500/
It seems they are using infected computers to brute force VNC servers with weak passwords . When a new VNC connection is established, a new payload is downloaded through a regular browser and installed on the newly infected machine. No exploit or sophisticated techniques are employed.

Gorynych installation
Gorynych installation

Once the payload is downloaded, any installed antivirus is configured to ignore it or is even completely uninstalled. This requires administration rights on the computer, but obviously this is quite a common situation on point of sales systems.


This day, it is Gorynych which was spreading: https://www.virustotal.com/fr/file/406c30d40f3837615e3b393edc1d6667213c3d287ec006be6198d68124041d43/analysis/
Last but not least, crooks used compromised computers to administrate the Gorynych panel:



During several days we followed the whole stealing process. Crooks infected point of sales and used mainstream memory scrappers like SearchforCC for credit card numbers exfiltration.
As we can see, there is no need of sophisticated attacks or processes to infect systems. With a little more time, crooks would be able to infect a much larger range of systems. With a short list of 152 weak passwords, an attacker is able to control a lot of point of sales systems. In this case, crooks access from small and medium-sized enterprises to companies with 500 million dollars in annual sales.
This kind of campaign would not be so easy to carry out if:
• Point of sales computers were not directly connected to the Internet;
• Strong VNC passwords were used;
• Administrator accounts were not used to connect to sensitive systems.
This kind of negligence can result in a huge waste of money and a very bad image for the compromised company.

Appendix

Payload found on the FTP site

1edc2a1c19a6deb330f21eb0f70d6161 a.exe
6b5ea21045e2c689f6f00e6979955e29 al.exe
4645b7883d5c8fee6579cc79dee5f683 ares.exe
9d87838b7de92cfa5675a34f11d3e7e1 b1.exe
af13c28f32b47423bfebb98de3a7d193 b2.exe
bf395a47eac637f0b2b765ba91d914c7 b3.exe
af36ed9267379f86fc12cc0cfc43938e bm.exe
57138e9fd20b9b93129ed599062bd379 cn.exe
f8058abb53ae90512b3da787bb25a21e dx.exe
0762764e298c369a2de8afaec5174ed9 fgdump.exe
9e76d363a7f93a2ef22483ce1866e8ee gt.exe
413ba3a4705504e528ce05c095cbc8a5 loader.exe
abd788f868ff4a96b91846dd46c9e701 mircpsy.exe
255daa6722de6ad03545070dfbef3330 mmon.exe
cc074e5542c0daca3d9b261dc642bfaa n.exe
85e5727d23ab417a1d05ce656de358b6 new(1)text.exe
79c8661bd5e69df5bb94032a356adc33 nyf1.exe
f461873a10a4b49197a822db88b707fa PowerGrep4.exe
467dc270f0d0619dbd1dfcc554da5f8b private.exe
10c7cdc821291921a957b94b101524af prv.exe
619e2172359cfff98f3124bdd4d9eeb5 q.exe
7c44933863109c101a52c04544626b7f r.exe
780fe52363ec0745da43fc6776f0be8c Spark.exe
af5aac5ef503c929db12d8e031788321 spy.exe.exe
2976768953979e045c1b5773de29e230 sweet.exe
5f6158cbfc5b2f80ad2ebcbeebfd1562 t2s.exe
30a9088df5a7586ca418cb1600ac8683 x64.exe
ef295b49ac6d6e6a4a43b5af75584830 zip.exe

Related servers

posserverupdate.ddns.net
teamviewer.ddns.net
anjing.no-ip.biz
chiproses.net
maculastudios.com
room402.in
193.84.64.159
212.105.175.93
173.214.168.141