Between April and September 2014, the American retailer Home Depot was targeted by criminals who aimed to steal credit card information. The malware used during these attacks targets Point of Sale systems. Home Depot said that the cyber criminals stole 56 million of debit and credit card numbers from its customers.(1) G DATA SecurityLabs experts now discovered a new variant of this malware dubbed FrameworkPOS. Its main part is rather similar to the malware previously described by Trend Micro.(2) But the big difference is the way how stolen data is exfiltrated: the malware use DNS requests!
This current malware uses DNS requests to exfiltrate the stolen data. Requests have the following scheme:
In this example, the domain server of domain.com is managed by the attacker in order to get the “encoded_data”. We identified three different DNS requests:
This request is the heartbeat. The ID is a random ID generated during the first execution of the malware. Encoded_data1 is the IP address of the infected machine and encoded_data2 is the host name of the machine.
The ID is the same random ID as used in the example above and encoded_data3 is a process name. The attackers receive the process name each time a credit card number is found in the memory.
The ID is, again, the ID described above. Encoded_data4 is the value stored right before the separator “=” within the memory and encoded_data5 is the value stored right after the separator “=”. Further explanation will be given in the article’s section Memory Carving.
In order to perform the DNS query, the malware uses the function getaddrinfo() in Ws2_32.dll or Wship6.dll (for IPv6 support for Windows 2000).
The data transmitted in the DNS request is encoded. Here is the code that performs this task:
The pseudo code:
a = byte XOR 0xAA
b = a XOR 0x9B
value = b XOR 0xC3
The three XOR can be simply resumed to XOR 0xF2. Below, you can see an example of decoded and encoded data:
paul@gdata:~ $ ./decode.py c3cbc0dcc3c4cadcc4cbdcc4cb
paul@gdata:~ $ ./decode.py a2b3a7bedfb3b0b1c3c0c1c6
The malware can be executed with the following option:
An interesting notion: the domain is set during the installation of the malware (with the Setd parameter). This marks a difference between the sample analyzed by Trend Micro and this current sample, because the domain is not hardcoded in the sample. Thanks to this approach it is not possible to find the domain used in case the sample is found within a database, such as VirusTotal. To know the domain name used to exfiltrate the data, one needs to analyze an infected machine. The domain is stored in the registry:
The .Default registry is an uncommon registry entry. This registry is not the Default User registry but the default registry in C:\Windows\System32\config\.
The domain used for the exfiltration is not stored in plain text within the registry. Here is a screenshot of the algorithm needed to decode the content:
Here is the pseudo code:
a = byte >> 5
b = byte << 3
value = a OR b
We assume that the developer tried to obfuscate several strings in the binary. However, the implementation is faulty and not efficient: each character of a string is “xored” with 0x4D two times. But if one applies xor two times with the same value, the result is the original value… Therefore, the strings are in clear in the binary:
A xor 0x4D xor 0x4d = A
To get the credit card data that is stored within the memory, the malware opens the processes currently executed on the system, except for these:
smss.exe, csrss.exe, wininit.exe, services.exe, lsass.exe, svchost.exe, winlogon.exe, sched.exe, spoolsv.exe, System, conhost.exe, ctfmon.exe, wmiprvse.exe, mdm.exe, taskmgr.exe, explorer.exe, RegSrvc.exe, firefox.exe, chrome.exe
To find the credit card data stored, the attackers use an algorithm which can be refined to the following regular expression:
Here is the description of the expression:
An example of a credit card number is hardcoded within the malware:
The credit card data hardcoded in the sample is used to identify if the malware is currently scanning itself. If the malware found this information in the memory, the carving is stopped and the next process is analyzed.
The analysis explains how the cybercriminals work today: we can assume that the cyber-criminals behind The Home Depot attack probably also targeted different companies with different command and control communication channels.
We think that the approach seen in this sample is really interesting and this sample is more mature. In our case, the exfiltration method is carried out really cleverly and is rather uncommon.
We strongly advise companies which use PoS systems to have a passive DNS to store and monitor DNS activities. If configured correctly, this passive DNS can send out alerts in case suspicious behavior is detected. Furthermore, these logs can and will help in case a post-attack analysis is required. Alternatively, the traffic of PoS machines could be restricted to relevant domains. Such a whitelisting approach would prevent contact to unauthorized domains. Concerning the containment, the best approach is to create an internal DNS zone that matches the domain of the attackers and which points to a server located in the company.
%Windows%\Genuine\tf (log file used by the malware)
.Default\CurrentUser\id (this key contains a random ID to identify the infected machine)
.Default\CurrentUser\ur (this key contains the encoded domain of the attackers)
A Service called hdmsvc with the description “Windows Hardware Management Driver”