Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.

Categories


Archives


Tags


Dragon News

Poseidon and Backoff POS – the links and similarities

Marcel van den BergMarcel van den Berg

Poseidon, also known as FindPOS, is a malware family designed for Windows point-of-sale systems. Poseidon scans the memory for running processes and employs keystroke logging to gather payment card data and credentials [1][2][3]. Recent Team Cymru analysis of Poseidon samples revealed a number of similarities to the much-publicized Backoff POS malware family, and this post documents those similarities and a number of new IOCs.

Reporting by RSA in April 2015 on “Attacking a POS Supply Chain” showed that they had seen a phishing email  sent using a domain resembling one that was legitimately registered by a high-end restaurant in New York City. The email contained an exploit attempt aimed at a European Point of Sales (POS) vendor.

Poseidon malware consists of two stages: a stage 1 loader and a stage 2 exfiltration component that contains the memory scraping code. The Poseidon loader installs as a Windows service and attempts to connect to one or more command and control URLs. These URLs are hardcoded in the binary. If successful, the loader will then download and install Poseidon’s second stage, which provides the actual memory scraping and key logging functionality. In all observed cases, the stage 2 component was configured to exfiltrate harvested data via a HTTP POST request.

Once installed, Poseidon’s second stage iterates through the processes running on the victim system and performs the following tasks:

  1. Verifies the current process ID in the list does not match its (the Poseidon process’s) process ID. If it does match, then it skips to the next process in the list.
  2. Checks if the current process ID in the list is run under ‘System’ or a non-user security context, including services and other OS-level tasks. This is achieved by fetching the security identifier (SID) information from each process’s access token and checking the domain identified by that SID. If the domain field of the SID matches the string “NT AUTHORITY”, then this process will be skipped.
  3. After passing the previous two checks, the second stage will scan the memory of the current process in the list for payment card data.

Analysis of the Poseidon malware and its infrastructure revealed several interesting similarities with the Backoff POS malware:

  1. Similarities in Certificates: Multiple Backoff POS controllers and Poseidon controllers have been observed using a SSL/TLS certificate with serial ‘EDFD4265DE7735EA’
  2. Similarities in command and control parameters: Both Backoff POS and Poseidon use very similar POST request parameters, as outlined in Table 1:backoff_poseidon
  3. Alignment of Version Numbers: The version numbers seen in use by Backoff POS and Poseidon appear to follow each other sequentially, both numerically and over time. The latest version of Backoff POS documented is version 1.57 (dating to September 2014), while the earliest version reported for Poseidon is 2.0, which was observed with a compile time stamp of November 2014.

Poseidon infrastructure appears to be identifiable through consistencies in the SSL/TLS certificates employed on controllers. For example, patterns exist in the issuer fields and the time the certificate is valid:

  • Issuer: /C=XX/L=Default City/O=Default Company Ltd
  • A time difference of 2000 days (172800000 seconds) between the ‘not after’ date and ‘not before’ date (ex: 2020-03-10 20:39:36 – 2014-09-18 20:39:36 = 2000 days)

Every controller certificate obtained shared the properties shown above, and a number of Poseidon controllers used the exact same certificates. Combining this information with other IOCs, such as those listed below, could help identify or confirm a Poseidon compromise.

In conclusion

We continue to observe new Poseidon versions in the wild, showing that it is likely here to stay for the foreseeable future. What should you do?

  1. Keep AV signatures up to date
  2. Use the IOC’s listed below to look for communication to or from the listed URLs, IPs, domains
  3. Make sure the payment endpoint device encrypts payment card data
  4. Consider use of community services and feeds to help stay up to date with latest controllers and IOC’s

If you would like to discuss POS malware and how we can assist your organization to better evaluate and mitigate your InfoSec risks, you can reach our US Sales team at sales@cymru.com and our UK Sales team at sales@tc-internet.uk

Unique Poseidon IOC’s

Below are a number of unique Poseidon IOC’s not previously published that Team Cymru is releasing in the interest of improving defenses against this threat:

Loader component

hxxps://Askyourspace.com/ldl01aef/viewtopic.php
hxxps://firstcupworlds.com/ldl01zeg/viewtopic.php
hxxps://followhell.ru/ldl01z/viewtopic.php
hxxps://gorestforus.ru/ldl01987/viewtopic.php
hxxps://lacdileftre.ru/pes2/viewtopic.php
hxxps://linturefa.com/ldl01/viewtopic.php
hxxps://linturefa.ru/ldl01/viewtopic.php
hxxps://mehanistran.com/ldl01/viewtopic.php
hxxps://mifastubiv.ru/ldl01/viewtopic.php
hxxps://petronasconn.ru/ldl01/viewtopic.php
hxxps://queryforworld.com/ldl01/viewtopic.php
hxxps://restavratormira.ru/ldl01/viewtopic.php
hxxps://serfilefnom.ru/ldl01/viewtopic.php
hxxps://serppoglandam.ru/ldl01/viewtopic.php
hxxps://servelatmiru.com/ldl01/viewtopic.php
hxxps://spartanwore.com/ldl01srf/viewtopic.php
hxxps://srachechno.com/ldl01/viewtopic.php
hxxps://switlawert.com/ldl01/viewtopic.php
hxxps://tabidzuwek.com/ldl01/viewtopic.php
hxxps://tabidzuwek.ru/ldl01/index.php
hxxps://tabidzuwek.ru/ldl01/viewtopic.php
hxxps://vesnarusural.ru/ldl01/viewtopic.php
hxxps://weksrubaz.ru/ldl01/index.php
hxxps://weksrubaz.ru/ldl01/viewtopic.php
hxxps://wertstumbahn.ru/ldl01/viewtopic.php
hxxps://xablopefgr.com/ldl01/viewtopic.php
hxxps://xablopefgr.ru/ldl01/viewtopic.php
46.30.41.159
46.166.168.106
89.144.2.148
89.144.2.149
89.144.2.150
93.171.202.168
146.120.110.104
162.244.32.164
178.62.208.238
193.230.220.53
216.246.98.85
164af045a08d718372dd6ecd34b746e7032127b1
d5ac494c02f47d79742b55bb9826363f1c5a656c
05b124b5f33a65ebb7489cdbcb55eee1692049f3
5e70840747264adee10bb298262207c8c25cff40
3de607115b6f0372ad9d4d68c27a118eca463a11
4959d2bdb93f2a75fd92ebbb1de391e3ed72ac55
b542f06b600e4caf2c3089a1ebb3a68d9d0a8003
8cfbfa37d31bcdeba00f0cab1509f93feec43e37
0d9a8b1c179e705f589f84a4ee3d635fe4ecf4f6
1be1781de69d6d6e8e749538c28dd0a5bff9a2bb
2b53394dad68bfc2a22d710259cb922d44799282
8b83112e29b4c51ad5e63c4e7c4dc3cd6065e6d7
1a7f93af47c4ddd9e9c52e39d6b388ce6bc86a7f
6e45ba4be815ee0f2f8954a05b3f79ffa52bbce2
8b2455854fdd9907c601a4b00703f9aa6ec62408
47430cf79c6d01abe6630e4c08d3fc821040069e
7dd0e3ae8bd7a69789d6117fb3e64926e4baad53
82189618784f98846bac2139ebe3d3839fe855e9
11b3a6866c153c0ed266b5d6e151217299fba3ac
837ac1eaea0ae07fda97e659d55996d09d8485da
1770d90d828b01a46ab4e39257db28f0a00f2cd8
02a39351450616c624a7d06ae2e91fbad2515bfd
415132ffccbb95856db3acb3c3648244864a0586
bc244f41938cbdc419590b34f74b8f4a88a73104

Exfiltration component

hxxp://apporistale.com/pes18/viewtopic.php
hxxp://dingdownmahedt.ru/pes18/viewtopic.php
hxxp://dinghareun.ru/pes18/viewtopic.php
hxxp://dreplicag.ru/pes13/viewtopic.php
hxxp://ferepritdi.ru/pes18/viewtopic.php
hxxp://fimzusoln.ru/pes13/viewtopic.php
hxxp://horticartf.com/pes13/viewtopic.php
hxxp://howthatficy.ru/pes19/viewtopic.php
hxxp://kilaxuntf.ru/pes13/viewtopic.php
hxxp://lasttrainforest.com/pes19/viewtopic.php
hxxp://newdomainreservenow.ru/pes9/viewtopic.php
hxxp://p9yhenm.ru/pes9/viewtopic.php
hxxp://quartlet.com/pes13/viewtopic.php
hxxp://rabbutdownlitt.ru/pes19/viewtopic.php
hxxp://refherssuce.ru/pes19/viewtopic.php
hxxp://reswahatce.ru/pes19/viewtopic.php
hxxp://terethaundv.ru/pes18/viewtopic.php
hxxp://wetguqan.ru/pes13/viewtopic.php
hxxp://xoftunhbyirf.tk/pes18/viewtopic.php
46.30.41.159
46.161.40.106
46.166.168.106
89.144.2.150
89.144.2.151
91.220.131.182
93.171.202.168
128.199.73.152
16cc234cdd9b180801e79d0b4beb0d88462911c0
0417922ec0503730297c167abcefcb4bdadcf8d8
5531d79887f9fd8491596c4ac39a46e2df3e3b19
f3420cb99c4689bd613f8195571f5dcb417e6d22
0e8827796ea18b18891a2015bc000776664ebff4
17a2c61bf5c49d465a527625cd3e73c60afc07a4
1c22a10c198257316a41e3f7d6f8ad4c40f05e5d
21ef25799050ca8360cb6f8679fc90bd9af8a9de
24ddc01f6446f3970fb1b895cb7fced9d9ab6328
26495828c9a7bb33328b54f772fb1bbd06f6106e
29c29b4d3b81d054dc1d4adea63d606e04663c95
2d29baaebaf719d284a9ee4eb0192934ae0f91ce
303ced5245f0efe080a945d269ec94b2972cbee6
31a7ae4d92cf742f447396a197a5ba722e672f05
3a800f25408c679f337b6899dca137db66fead66
3c97379ea625a584b91c63b8d9286d6182d61ea2
40eb76aa1c1cd58db621cf21d27b26b33cce5f8a
41a1c644af30dc4caae59a22dc94bed18e8736de
47eda908dd3757d66409e6f3a6225ca1cd03fa2c
66244a0d24231839333e8ce970b6ab1b3ad469b7
6f6dc9f09c593a57cf9ef658d2447da9c56fbbb4
723af5e6d126021aa0d8032a4cc45da5bedbe946
7915d8736770d4ead4c10304bd54ad72a1120afe
884f02ea7e0da210a3d62a347a43c0079cb5218a
8ab3bd0c323ef967245bd7756070733f3386eb45
8f57a662898f5eec84b9fd06da21354184c67f5d
9391c66dd409a2908c54f573c975d1a2053f5b8e
aa90a93833cb1171e9e213ba73928d32c546c1fd
aded4e686227c932c77fe158ec18251aad4d7097
ba983efd45dc4a21c34a9be4273fd82d27768267
bad699af3fc8fda8e8cd271aac8a018c5faa3748
c0c6fd8b23e627188814cd36ea7a6a5d9f1391e8
c3120212263c7d272b5664fbd33291d46f5357ea
c78130f95c4c4db31585521ce4668f962b7385df
d28c053075b2636e8b217f439f15565abe26f569
e0158ac0ced198dad89220c2063bbfed515f60fc
e51ac9b4180ed0045e690dd09bfe3a69af3b8a0c
edb3a9ab30702d1750a3ec5cfd37893af329e788
f1dca78808b7f32ef817bd36e2b250e9c7d736b6
f562eaed7ddbfb1eee7e95417b54556cabd55c36

[1] http://blogs.cisco.com/security/talos/poseidon
[2] https://blogs.rsa.com/attacking-a-pos-supply-chain-part-1/
[3] https://live.paloaltonetworks.com/community/kb/blog/2015/03/25/findpos-new-pos-malware-family-discovered