Recently, I came across a VISA bulletin regarding point-of-sale malware being used against merchant targets. In Incident #1 in this VISA report, VISA described a deployment technique for TinyPOS that seemed oddly similar to the ProLocker ransomware installation workflow described by Group-IB, although I initially dismissed this as a coincidence.
After spending time mapping out code-level relationships and VirusTotal submitter relationships (initially with the intent of identifying an entry vector), there is evidence to suggest that this is not pure chance. In short, one of the following is likely true:
1. ProLocker and TinyPOS are written by the same author, who also provides a deployment mechanism; or,
2. ProLocker and TinyPOS are written, deployed, and used by the same threat actor
3. The ProLocker adversary obtained or modified the TinyPOS source code and also operates in the carding space
Of these, the second seems the most likely. In addition to distinct code-level relationships shared across several tools from both threat actors (and no apparent other threat actors) and the very similar delivery mechanisms, both ProLocker attacks and TinyPOS attacks appear to be low-volume enough that it is plausible a single small to medium-sized group is operating them, rather than two distinct entities. This would parallel assessments that other threat groups who traditionally operated in the carding and banking spaces have also switched to ransomware attacks, including FIN6 and TA505.
Read more “TinyPOS and ProLocker: An Odd Relationship”
This remainder of this post primarily walks through the analytic workflow that led to these assessments (as opposed to a traditional intelligence-style condensed publication of the key facts) so that others may properly evaluate the methodology and findings.
Last October (2019), ESET published extensive research regarding additional tooling from the “Dukes” adversary, which analysts have traditionally aligned with [APT29/Cozy Bear] operations. While conducting some unrelated research, I came across a LiteDuke sample and decided to take a deeper dive into the mechanics of its loader and its malware.
Read more “Looking Back at LiteDuke”
The original ESET publication covers the key details at a high level; in addition, this malware is old and has likely been discontinued for several years. This blog post is intended to document some additional lower-level details for operational comparison purposes and general learning.
From time to time, new tools emerge that make it significantly easier to examine older malware. In 2017, Symantec’s threat intelligence team published research regarding the Dragonfly group, an adversary with an apparent interest in performing reconnaissance against energy sector companies. One of the reported malware families, “Backdoor.Goodor,” is written in Golang and the blog post states that it “provides the attackers with remote access to the victim’s machine.”
Read more “A New Look at Old Dragonfly Malware (Goodor)”
In recent years, several free options have become available to help reverse engineer these types of Golang binaries, replacing premium (but extremely well documented) methods and making this type of analysis particularly more accessible.
This post walks through the reverse engineering of a Goodor file, examining its capabilities and discussing key principles of these types of files.
In a previous post, this blog examined malware used in a financially-motivated incident at a fuel dispensing company, as disclosed in a security bulletin by VISA. The bulletin detailed a second incident that is likely attributable to an additional threat actor. Specifically, VISA identified C2 infrastructure, a filename, and additional TTPs that allegedly align with FIN8 activity, as described in public Gigamon and Root9b reporting. These TTPs suggest that the threat actors used a memory scraper referred to as PoSlurp.B in public reporting to scrape customer credit card data from a targeted device.
Read more “Fuel Pumps II – PoSlurp.B”
This post examines a PoSlurp.B file identified (through its shellcode loader) by Twitter user @just_windex to provide additional details regarding the malware’s functionality that were not previously disclosed in open source. This analysis focuses on the final payload of the shellcode loader, although additional information and advice for bringing this file into a debuggable state is available at the end of the post.
Unlike the previously analyzed file (FrameworkPoS/GratefulPOS), which indiscriminately scraped all processes on a device, PoSlurp.B is designed to scrape the memory of an attacker-specified process.
In December 2019, VISA Security released a bulletin detailing multiple incidents in which threat actors targeted point of sale systems used at fuel dispensing companies with malware designed to parse out credit card numbers from these systems. This blog post examines a file, 19d38325f715f623bd4b6e819a150cde, associated with the first of three listed incidents in that bulletin.
Read more “POS Malware Used at Fuel Pumps”
There are several notable characteristics regarding this malware, including a unique way for the threat actors to terminate the tool.
Recently, a VirusTotal submitter uploaded a file that was digitally signed with the same certificate as two previously reported Lazarus tools. Like one of those tools, this newly uploaded malware appears to act as an injector, although it behaves significantly differently.
Read more “Another Lazarus Injector”
This blog post offers a brief analysis of the features and purpose of this injection tool, as well as a comparison with a previously identified injection tool that behaves significantly differently and likely serves a different operational purpose.
Update 20 October, 2019: A small section towards the bottom of this post has been updated to reflect this malware’s strong resemblance to a file described in a US-CERT Report in late 2018. The file in that report served as an injector for the FASTCash AIX malware. Given this file’s similarity, it is highly likely that this file is intended to perform a similar function, but on a Windows environment.
In late June, multiple researchers and security entities (including researchers from ClearSky, FireEye, and U.S. Cybercom) highlighted APT33 activity in public outlets. Several of these files have already been identified and analyzed as part of ongoing discussions on Twitter regarding this activity.
Read more “APT33 PowerShell Malware”
This blog post examines a file identified through public resources with infrastructure links to these attacks that has not been widely examined.
As part of this activity, researchers identified the C2 domain “backupaccount[.]net” as a C2 used within a malicious HTA file hosted on attacker infrastructure. A PassiveTotal pivot at the time of this writing highlights 11 hashes associated with this domain. PassiveTotal accounts are free, but also do not offer the context behind these hash associations.
In May and June, two files were submitted to VirusTotal that were signed with the same digital certificate and were connected to the SWIFT-heist wing of the DPRK. One file is re-themed version of the fake resume creating tool used in the Redbanc and Pakistan attacks. The second file is a tool used to inject and run payloads inside of explorer.exe.
Read more “The Lazarus Injector”
This brief post documents the capabilities of this second tool.
Last month’s post on this blog examined a backdoor previously thought to be associated with Emissary Panda (APT27). Recent reporting has instead shown that the HTTP listener examined is likely affiliated with Turla. That post has been updated with the corresponding corrections.
Read more “Emissary Panda DLL Backdoor”
This post is a granular examination of a payload alluded to in a Palo Alto report that is tied to Emissary Panda with much higher confidence. While the payload wasn’t available for analysis in that report, VirusTotal pivoting at the time produced the matching file.
This file is expected to be part of a DLL side-loading chain that involves a component of the legitimate Sublime text editor (plugin_host.exe, also available on VirusTotal: f0b05f101da059a6666ad579a035d7b6) and a malicious DLL that this file will sideload:
Updated 19 July with Attribution Comments
Read more “Possible Turla HTTP Listener”
Recently, Palo Alto’s Unit42 and Saudi NCSC detailed multiple intrusions against Middle Eastern government targets in which an attacker (purportedly Emissary Panda, a suspected Chinese state-sponsored adversary) compromised vulnerable Microsoft SharePoint servers and deployed a variety of intrusion tools, both public and custom.** Subsequent public reporting, however, attributed a portion of this activity to the Turla group. This post focuses on the details of the malware rather than the attribution itself.
This blog post briefly documents characteristics and capabilities of one such tool, an HTTP listener (first identified by NCSC-SA), deployed at several of these sites. There are multiple versions of this listener with different command names; however, the functionality of each command is the same in each file.
**Note: As noted in the original version of this post, Unit42 reporting did not definitively state that the activity belongs to a single threat actor given the use of publicly available tools but rather offered this as a possible assessment.