Exclusive -Details on Investigation of Group-IB on new age of POS malware

New age of POS malware – cash points are in the hackers’ interest, major US banks are compromised.

UPDATE January 17th, 2014

I desire to reveal the identity of the person that has conducted the analysis on the BlackPos agent, giving me a significant support for the realization of the post. Andrey Komarov, IntelCrawler’s CEO, has arranged investigation on Black POS in March 2013, when he works in another forensics company. Since that time, the first group which was using BlackPOS was detected, as well as the author, a 17-year-old teen from St. Petersburg. 

BREAKING NEWS – BlackPOS malware – IntelCrawler has identified the author

According to the statistics of Group-IB, one of the leading security and computer forensics company, modern cybercriminals started to use specific malware for ATMs and POS for targeted attacks.

Most of them are organized with the help of insiders in face of staff, who has access to the POS to maintain or update its software locally. Only few infections were detected with the help of targeted remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

Previously a McAfee security researcher, Chintan Shah, has notified the banking community about vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them.

At the end of 2012, Israel based company Seculert  notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Several days ago, Group-IB has found a new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without the use of any additional libraries. It supports all Microsoft Windows versions, including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit card data.

According to the description of the author, it adds itself to the autorun with default timeout in 3 hours. The log with intercepted dumps is transferred through FTP gateway with the date. This variable can be changed on e-mail notification upon customer’s request.

 

 Group-IB and it’s CERT (CERT-GIB) has found a private video with a demonstration of admin panel of this new POS malware.

 

Customers of major US banks, such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware, here are some segments of the data extracted from the uploaded video on one of the most famous underground forums:

In the following image an exclusive screenshot related to thousands of credit cards were compromised, the screenshot of the «BlackPOS» admin panel, 23th March 2013

 

During the investigation, it was found out that the author might be from the Russian Federation, because of language and the interesting factor in the video which is very hard to detect – close to 01:44 it is appeared the link on internal messaging system of one of the most famous social networks in Russia – Vkontake.ru.

 

It seems to be that the hacker was communicated with one of his friends through Vkontakte and forgot to close the active Internet Browser window. Profiling on the Vkontakte ID (http://vk.com/id93371139) disclosured us the person under anonymous nick “Wagner Richard”.

The hacker mentions the link on the group for orders on DDoS-attacks, which can characterize him as one of the persons involved into big cybercrime gang.

Previously, they set up several similar groups related to DDoS attacks, but all of them were banned before.

The above picture reports 7 members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group, the 8th member was found by «Likes» section .

1) http://vk.com/id83965304 – Artiom Karapetyan (native city is: Echmiadzin (Armenia), city of education: Talas (Kyrgyzstan), school 6 – 2011/2014), http://vk.com/friends?id=83965304&section=list27 – all the friends belong to Russian Anonymous Divison

2) http://vk.com/psychoosocial – Viktor Tovstonis (skype: vitok5566)

3) http://vk.com/ruslan_halus – “Ruslan Halus” (skype: halusruslan, Twitter: rhalus, city: Pereginskoe (Ukraine))

4) http://vk.com/anonim207 – «Max Mamaciev» (city: Moscow (Russia), Moscow State University)

5) http://vk.com/id204853815 – «DDOS ATACKA» (city: Moscow (Russia), Moscow State University, Biology faculcy, school 1’19, http://attackddos.narod.ru).

 

 

The pricing on DDoS attack from the gang starts from 2 USD per hour, which is absolutely shocking (22 USD – per day, 220 USD – per week), also it is mentioned that they trade private DDoS bot for 800 USD.

According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard).

According to the profiling, the security expert Andrey Komarov said that all the involved hackers are less than 23 years, which proofs that youth is involved into the most of cybercrimes.

«We have found one of the C&C for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue» – said Andrey Komarov, Andrey Komarov, IntelCrawler’s CEO.

Pierluigi Paganini

(Security Affairs – Cybercrime)