Announcement Announcement Module
Collapse
No announcement yet.
Virus Alert !!! BrutPOS malware Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus Alert !!! BrutPOS malware

    BrutPOS malware


    Virus Type: Trojan/Botnet

    It has been reported that malware variants targeting Point of sale (POS) systems, dubbed “BrutPOS”, is spreading. BrutPOS mainly targets windows based system by leveraging web as the main infection vector apart from being downloaded by other malware families.

    The BrutPOS malware is capable to perform the following functions:
    • Steals payment cards track1 and track2 information by scanning running processes.
    • Opens backdoor and receive commands from the C2 server including the list of IP address range of RDP servers to scan.
    • Steals system information such as OS details, system configuration etc and Sends exfiltrated data to the C2 sever.

    Once the system is infected with the malware, it communicates with its command and control servers to update its status and receive commands or list of IP address range to be scan for RDP servers having weak or default credentials. Successful RDP brute force attacks allows an attacker to execute another malware in the compromised system that steals payment cards data i.e. track1 and track2 information (including card holders name, account no, expiration data, CVV code etc.) from POS systems.

    Aliases: Win32/TrojanDownloader.BrutPOS.A [Eset], Trojan.Bruterdep (Symantec)

    Installation:
    On execution the malware makes the following changes:
    File system Changes:
    • Creates a copy of itself in the following location:

    "%USERPROFILE%\APPDATA\<filename>.exe"

    Registry changes:
    The malware makes an entry for itself in the RUN registry key so as to execute itself at every reboot of the system. The location of the registry entry is shown as follows:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run \Run="%USERPROFILE%\APPDATA\<filename>.exe"

    C2 Communication:
    The malware makes a network connection to various command and control servers some of which are mentioned below:
    62.109.16.195
    92.63.99.157
    78.154.54.42
    82.146.34.22
    62.113.208.37


    Brute-force Command from C2:

    The following snippet shows that the infected machine receives a command from the command and control server having a list of SERVER IP address range to be scan along with the possible passwords to be used for brute force attack.


    Source: Fire Eye

    Once the infected machine has received a list of IP address range for RDP server, it starts scanning these IP addresses for the port 3389. If the scanning results show that the port is open then that particular IP is brute forced with the possible credentials received from the C2 server. Successful brute force attempts, results in sending the respective credentials back to the C2 server. Some of the default credentials tried
    for brute force are shown below:

    Source : Fire Eye

    After successful RDP brute force password attack, the attacker tries to download another malicious file from its C2 server and execution of which captures the payment card information from the compromised systems. If the attacker is having the required Debug permission then downloads and executes the required malicious file otherwise it tries to install the malware as a service using the following script:


    Source: Fire Eye


    Countermeasures:
    • Keep all POS systems thoroughly updated including POS application software.
    • Not allowing administrative access to systems, with the exception of special administrative accounts for administrators
    • Delete the system changes made by the malware such as files created/ registry entries /services etc.
    • Locking out accounts after N number of incorrect login attempts
    • Not allowing RDP login by default on systems, but rather, granting it on an as needed basis
    • Limiting or eliminating the use of shared or group accounts
    • Monitoring authentication logs for repetitive failed login attempts to one system or multiple systems.
    • Ensure that the networks where POS systems reside are properly segmented from the non-payment network.
    • Monitor and block connections to the aforementioned servers.
    • Disable Auto run/Auto play.
    • Do not visit untrusted websites.
    • Enable firewall at gateway or desktop level.
    • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
    • Install and scan anti malware engines and keep them up-to-date.
    • Restrictive policy on usage must be deployed and enforced.

    References:
    http://www.fireeye.com/blog/technica...s-systems.html
    http://www.fireeye.com/blog/corporat...rspective.html
    http://www.darkreading.com/brutpos-b...d/d-id/1297154
    http://www.securityweek.com/brutpos-...s-brute-force-attacks
    http://www.eweek.com/security/brutpo...-to-break-into- -pos-systems.html
    http://www.alienvault.com/open-threa...remote-desktop
    http://www.cert-in.org.in/s2cMainSer...E=CIVA-2014-1410
    https://www.us-cert.gov/ncas/alerts/TA14-002A
Working...
X