This is a security alert for all TruShield clients, the retail industry, the financial services industry, and the community at large. TruShield has learned of increased point-of-sale malware activity and a linked financial threat actor.
Within the last week security researchers at several companies have discovered new details about the ongoing malware barrage on POS systems, banks, and financial institutions. One discovery relates to the TinyLoader backdoor, which is now known for multiple POS malware strains. Roughly a year ago, this was only known for spreading AbaddonPOS, but as of late it has not only been linked to TinyPOS, but also TinyLoader and AbaddonPOS have both been altered. A second finding involved alterations to several malware loaders used against financial institutions with a few noteworthy links. The related malware families are Hancitor, Ruckguv, and Vawtrak. Researchers at Proofpoint have indicated that one threat actor is likely behind the recent alterations.
Delivery and Updates
In each of these cases the most well-known delivery method for the malware is via email campaign. The subject line varies from one malware family to another, but the emails generally contain malicious macro office document attachments. Hancitor and Ruckguv families mainly involve a “debt”, “tax”, or “IRS” related subject. For TinyLoader and AbaddonPOS the subject lines center around the targeted company and a “booking” or “reservation”. TinyLoader is focused on stealing system information, enumerating processes, and spying on a system with a screenshot mechanism, but later on it may deliver a true malware payload. It was also recently determined that it is responsible for updating AbaddonPOS malware. Experts at Trend Micro were able to verify the link between AbaddonPOS and TinyPOS based on several findings. These findings include: very similar functionality and process monitoring, shared C&C infrastructure, and similar means of spreading in targeted usage. Hancitor has been altered primarily in the information it gathers and transmits an edition of a DLL execution function. Ruckguv has been modified to also add a DLL execution function, use ROT13 on file names rather than payload URLs, use only a single file name for any payload download, and use different functions for downloading. Vawtrak is where this campaign and the POS campaign meet, since it has been associated with a threat actor and can also download TinyLoader or turn the compromised machine into a spam relay to further the campaign.
Trends to Monitor
Both of these campaigns should be carefully compared and observed. There are marked similarities that point to the possibility of a single actor being responsible for the vast majority of infections with the mentioned POS malware and loader malware. Additionally, each of these families went dormant for several months and then resurfaced with new capabilities in a short time frame. Effectively, such an actor could be aiming at two sides of a transaction to maximize returns. There is even the possibility that a larger swath of Vawtrak infections will be seen on the heels of the Angler EK alterations earlier this month, since Vawtrak was distributed through Angler EK in the past. Infections seen across multiple industries clearly indicate that proactive steps need to be taken before another phase of malicious alterations affects an unprecedented amount of businesses, institutions, and consumers.
Indicators of Compromise
|SHA 256 Hashes for TinyLoader and AbaddonPOS|
|SHA 256 Hashes for Hancitor, Ruckguv, and Vawtrak|
|Related IPs and Sites|
Mitigation and Prevention
- Enable EMV and/or point-to-point encryption solutions on POS terminals.
- Do not open email that is unexpected or from unknown senders.
- Use updated antimalware and antivirus products.
- Compare unknown files with known IOCs.
- Use application control software with a base deny policy on executables.
- Isolate infected systems from the network.
- Monitor systems for registry or file changes.
- Keep systems patched with the latest updates.
- Continuously monitor network traffic for C&C activity, including DNS queries.