Threat actors salivate at the thought of an increased volume of credit and debit card transactions flowing through endpoints they have compromised with card-stealing malware. While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware capabilities overlap with generic information stealing trojans such as Flokibot that obtain and exfiltrate HTTPS GET and POST data and other materials from compromised machines.
Rather than focusing on the Flokibot malware itself, which has already been profiled by ASERT [https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/] and others [http://blog.talosintel.com/2016/12/flokibot-collab.html], we have profiled selected elements of three Flokibot compromises in order to provide increased awareness of risk factors and actor TTP’s. The first compromise profiled is particularly interesting because it likely involves a threat actor participating in a card trafficking operation. IOC’s can be found at Flokibot_final_IOC.
Targeting and Data Exfiltration
Recently, ASERT researchers observed FlokiBot activity emanating from numerous compromised Point of Sale systems and other machines of interest. The two FlokiBot campaigns observed may have focused on a narrow set of targets, based on the smaller number of compromised machines comprising each botnet. In the first case, 25 compromised machines were involved and in the second, there were 43. The low number implies a more specific targeting scheme than a general-purpose malvertising or commodity exploit kit delivery mechanism. The less widespread the malware, the greater the chances for reduced detection and attention from security researchers and a potentially slower response from law enforcement and the security industry.
FlokiBot exfiltrates data to a Command & Control server, where a folder is created for each compromised machine using the uppercase machine name followed by an underscore and a sixteen character uppercase Bot ID value generated by the Core::_generateBotId function. Exfiltrated data is stored inside each folder in a file named reports.txt. This naming scheme is standard practice for the Zeus Trojan, which Flokibot is based upon.
Zeus-based Report Structure
A sanitized example of a reports.txt entry displayed above shows us the data that the threat actors have access to. In the screenshot above, a VISA card has been exfiltrated and displayed in the Track 2 field. The process_name field reveals the name of the process from which the card data was exfiltrated.
Brazilian Compromise Observations
One particular FlokiBot campaign (oriented around a specific C2) tracked by ASERT focused on Brazilian targets. This included several PoS machines and other systems involved in card processing. Flokibot targeting Brazil is not new, and has been previously profiled by Flashpoint Intel [https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/] who revealed that the author of the malware, an actor known as “flokibot”, is likely a Brazilian “connector” who has engaged other online crime communities in various languages.
Compromise Observation #1: Compromise of System Creating Credit Cards
The compromised system in observation #1 was a Windows 7, SP1 machine. The language_id of the machine is 1064 (Portuguese).
Based on analysis of the report file, there were 268 unique instances of track 2 data exfiltrated from the system. These included 179 instances of Mastercard, 86 instances of Visa cards, and three cards classified as “Amex, Diners, JP”. The timeline of the data exfiltration was from 9/25/2016 – 10/2/2016 for a total of eight days.
This system featured client installations of TeamViewer and the Ammyy Admin applications. These applications are used to perform remote administration. Vulnerabilities in remote administration mechanisms continue to be abused by threat actors targeting Point of Sale and other systems.
The flow of card data through the compromised system is more easily understood by a timeline infographic showing the processes and movement of card data. It is helpful to remember that Flokibot injects itself into explorer.exe when looking at the infographic.
Timeline of process execution and card data movement
In this instance, Flokibot discovered card data present inside memory regions of several Windows processes, including:
DecryptTracks.exe was stored in a folder named “virus novo bomba\Decrypter” and is possibly a utility to decrypt track information. Based on insight derived from carding forums, card data obtained via a PoS skimmer dump file is typically encrypted with the key known only to the seller, so this may be a utility to decrypt dumps. “Virus novo bomba” translated from Portuguese to English means “new virus bomb”.
The naming scheme for the DecryptTracks.exe binary seems somewhat suspicious for a legitimate system and, combined with further evidence presented below, suggest that actors deploying FlokiBot may have compromised someone involved in the illicit business of making physical credit cards from encrypted track data. Another possibility is that a threat actor compromised themselves with their own malware for testing purposes and forgot to disable the malware (an amusing possibility). Another aspect of this exfiltration that suggests the compromised system is not a legitimate PoS installation is the absence of any process associated with a Point of Sale application.
Further support for this hypothesis can be made by observing the exfiltration timeline discussed previously.
The MSR606.exe process was likely developed by a company called Postech, operating from China. The MSR606.exe application is a “MagCard Write/Read Utility Program”, written in Delphi. Underground carding forum chatter suggests the MSR-606 hardware is very popular. One version of this program appears as such:
Application Used with MSR-606 Card Reader/Writer
The MSR606.EXE software correlates with the MSR606 Magnetic Stripe Card Reader/Writer, which is described in a programming manual found online as such:
The MSR606 series is designed to read and/or write high or low coercivity magnetic cards. It can encode and verify up to 3 tracks of data simultaneously. It communicates with a host computer or other terminal using a usb interface.
The MSR-606 hardware can be purchased easily and is readily available online. An image of the MSR606 hardware from https://www.amazon.com/2xhome-MSR606-Magnetic-Encoder-Magstripe/dp/B00LGZVZN4 is shown here:
MSR606 Magnetic Card Reader/Writer
We observed through the exfiltrated report file that some of the card data was entered via keyboard into the MSR606.exe application, as the track 2 data in such transactions was obtained via Flokibot’s keylogger functionality and appeared in the Keylogger field inside the exfiltration report. It is possible that pasting card data into MSR606.exe resulted in that data being obtained by the keylogger.
While legitimate use of MSR606.exe is a possibility, the creation of numerous cards with different BINs via the MSR606.exe application is suspicious.
This same card data obtained via the keylogger functionality from the MSR606.exe process was also obtained in clear-text form from the process memory of explorer.exe, SGCRA.exe and InternetExplorer.exe.
The SGCRA.exe process and the InternetExplorer.exe process appear to be other malware – most likely FighterPOS. For example, see MD5 hash daaa0d3511e23b265bf88e3a036e7e9a for a sample that uses the filename of InternetExplorer.exe AND the filename of SGCRA.exe [https://www.virustotal.com/en/file/80e129571e4147eef2064e1a58352e79070837142be4f7d9b78e1ce5644e69ab/analysis/]. The sample in question is often detected as FighterPOS or Punkey POS, but contains strings indicating the malware may actually be known as FlokiIntruder. A quick check of the ASERT malware repository shows several different malware families using the filename InternetExplorer.exe, including NewPOSThings and FighterPOS. The filename SGCRA.exe was used six times by malware tagged as FighterPOS.
Based on the BIN numbers of the exfiltrated cards, the countries most targeted were as follows:
Compromise Observation #2: Windows 7 Machine
The compromised system in observation #2 was also a Windows 7, SP1 machine. The language_id of the machine is 1064 (Portuguese).
Based on analysis of the report file, there were 167 unique instances of track 2 data exfiltrated from the system at the time of analysis. These included 94 instances of Mastercard, 68 instances of Visa cards, and 5 cards classified as “Amex, Diners, JP”.
Nearly all of the card data from this machine was exfiltrated from explorer.exe, with a very small number discovered from an instance of the FighterPoS/FlokiIntruder malware running at AppData\Roaming\Microsoft\InternetExplorer.exe. No card data, or anything else, was exfiltrated via the keylogger mechanism in this case. Despite the presence of card data, there was no obvious presence of a Point of Sale application running, based on the report.
The malware in this case exfiltrated the presence of its own exfiltration process when encrypted/encoded credit cards were POSTed. This exfiltration took place from a process_name of C:\Windows\explorer.exe with a path_source value of https://shhtunnel[.]at/class/gate.php.
In the leaked source code for Zeus 184.108.40.206, we observe that the path_source variable is used to display a URL access by a process as well as to display the type of credit card obtained from memory. In this case, explorer.exe (injected with Flokibot) was accessing gate.php on the Flokibot C2 server. In other cases, path_source will contain “Visa”, “Mastercard”, or “Amex, Dinners, JP”.
The countries most impacted by the card data exfiltration are as follows:
Compromise Observation #3: Linx Autosystem Installation
This was also a Windows 7, X64 SP1 system using the Portuguese language. The card processing binary was c:\autosystem\paf.exe. This system contained an E-commerce package called Linx Autosystem made by a company named LZT Sistemas out of Brazil [http://intranet.lzt.com.br/rss/c5d5f049a044122a2a3cd2b36e2248d6/]. The website for Linx [http://www.linx.com.br/clients] indicates a wide customer base (translated to English from Portuguese)
This exfiltration report featured both keylogger and Track 2 findings. The exfiltration took place between 10/27/2016 and 11/22/2016, and during that time period, 290 credit cards were stolen. Of these, 147 were VISA cards, 123 Mastercard, and 20 were Amex, Diners, or JP.
C2 Links to Kronos, other Flokibot Campaigns
The C2 for the three observations previously described was shhtunnel[.]at, which resolved to 220.127.116.11 during the time of analysis. The IP address history of the domain is as follows:
|18.104.22.168||8/4/2016 – 8/25/2016|
|22.214.171.124||10/11/2016 – 10/11/2016|
|126.96.36.199||10/13/2016 – 10/30/2016|
|188.8.131.52||10/31/2016 – present|
Registration on the domain was associated with the name “Karl Marx” with an email address of sprobot[@]outlook.com. This email address was used to register several other domains of interest.
|Springlove[.]at||Kronos banking Trojan|
|Springlovee[.]at||Flokibot version 13|
|Sshtunnel[.]at||Kronos banking Trojan, also possible ransomware activity|
|Treasurehunter[.]at||Flokibot v13 as of 2016-12-13 and possible RealPoS malware|
The IP address 128.199.209[.]15 is associated with Digital Ocean.
AS | IP | CC | Name
133165 | 184.108.40.206 | GB | DIGITALOCEAN-AS-AP Digital Ocean, Inc., SG
The IP address was also used by the following domains:
|www.androidupdate[.]online||Android Marcher banking Trojan|
|avalanche[.]today||Malicious site [Sophos]|
|kachapaka.net[.]in||Malicious site [BitDefender, Fortinet]|
|mobil-sicherheitsupdater[.]online||Android Marcher banking Trojan|
|springalove[.]at||Kronos banking Trojan|
Presence in this domain list does not necessarily imply malice in the event that no malware activity was observed, however the percentage of malicious domains pointing to the same IP is notable.
It should also be noted that ASERT observed systems compromised by Flokibot that were also compromised by the Dexter Point of Sale malware. Threat actors are going after some of the same targets, so a scenario involving multiple compromises is not surprising. This scenario is yet another reason why the detection and elimination of one type of malware does not mean that the system is malware free. The outdated concept of “cleaning” an “infection” no longer applies in most cases, especially when a higher security environment is at risk. A complete rebuild, after the completion of a proper incident response process is warranted instead.
Passive DNS Insight
Passive DNS queries on shhtunnel[.]at, revealed two other domains of potential interest: sshtunnel02[.]xyz (due to similiarity of domain name), and p0o9i8u7y9[.]xyz. This second domain was interesting due to the use of the .xyz TLD that is commonly abused, and the structure of the domain name itself suggests it may have been generated by a Domain Generation Algorithm (DGA). The following malware activity was also observed:
|Sshtunnel02[.]xyz||Andromeda / downloader|
Sshtunnel02[.]xyz resolved to 107.191.52[.]175 in early August of 2016 and was using the name server ns1.vultr.com and ns2.vultr.com during that time.
The other domain, p0o9i8u7y9[.]xyz, resolved to four IP addresses:
|220.127.116.11||8/6/2016 – 8/31/2016|
|18.104.22.168||9/6/2016 – 9/18/2016|
|22.214.171.124||9/21/2016 – 9/28/2016|
|126.96.36.199||10/5/16 – 11/14/2016|
|188.8.131.52||11/16/2016 – 1/4/2017|
At the time of this writing, the last IP still resolved in response to the query of p0o9i8u7y9[.]xyz.
Due to the passive DNS associations presented here, network defenders are encouraged to be alert for any activity involving these domains or IP addresses especially during the resolution timeframe.
Flokibot C2 servers
These C2 are obtained from ASERT malware analysis insight. Note: these are any Flokibot C2’s, not just those associated with the threat activity profiled previously.
Flokibot Sample hashes (MD5)
Threat actors have engaged in, and are continuing to engage in compromise campaigns against Point of Sale infrastructure in Brazil and elsewhere by using the Flokibot malware family. Gaining insight into a C2 server provided ASERT with the means to describe a sample set of three compromises. Of these, one appeared to be a threat actor involved in the creation of credit cards, and the other two compromised machines were likely Point of Sale systems or closely associated, based on analysis of their process activity and system usage patterns reported to the C2.
Individuals and businesses operating Point of Sale infrastructure must be cautious to engage in security best practices and should be aware of the numerous types of tactics that threat actors will use in order to compromise PoS machines. Some examples of common tactics include scanning for remotely accessible administrative servers (such as Remote Desktop, Ammyy Admin, Team Viewer, VNC, etc.) the abuse of weak or default credentials, the delivery of malware-laden spearphish to selected targets posing as PoS or other software updates, the compromise of vendors offering remote support to PoS installations in the field, physical access to PoS machines in order to install malware and perform other tactics such as indirect lateral movement through partner organizations to reach a target. Unusual network connections and data exfiltration from PoS machines to unexpected destinations should be a cause for alarm. Data exfiltration from machines that have network or other trusted connections to PoS infrastructure should also be cause for alarm that triggers an immediate investigation and corresponding incident response process.
My appreciation to Dennis Schwarz, Neal Dennis and Kirk Soluk for insight and commentary.