Security Now
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
amohanta , Visitor
Security Now
LockPoS goes fashionable
01.22.18

U.S.-based fashion retailer, Forever 21, recently reported that its POS (point of sSale) machines) were infected by LockPoS malware. We also saw  LockPoS in the news in mid- 2017 for targeting Brazilian companies. This blog  will share additional detail about some of the latest variants of LockPoS.

 

Technical Analysis

 Md5:1e490056bdb537f9492bc72a365537f0

sha1:80c1bd8611d37d10650b7b1a8b90274e6fe54419

The malware has multiple levels of obfuscation. It often has  an executable stored in encrypted form in a resource named “CORE”.

1.png

Fig 1 -  “CORE” resource having encrypted biary

 

This resource is loaded into memory using FindResourceW(),sizeOfResource() and LoadResourceW().

 

2.png

Fig 2 - resource loaded in memory

 

The resource is then loaded into memory then decrypted using the Microsoft Cryptograpy APIs CryptAcquireContextW(),CryptImportKey(),CryptDecrypt().

 

3.png

Fig 3 - decrypted data from resource

 

The deobfuscation doesn’t end here. This data is again put in a compressed format and is uncompressed in memory using RtlDecompressBuffer(). The result is an executable that contains the string “dropper.pdb”.

 

4.png

Fig 4 -  Dropper.pdb see in the decompressed file

 

This executable has yet another executable in an encrypted format in its resource section named “XXXX”. This is again decrypted and decompressed with the same process mentioned above. The decryption happens in memory and post-decryption the control is transferred to the decrypted code. This code further maps a part of its decrypted memory into explorer.exe where the final payload is decrypted.

 

Sandbox Evasion

The malware maps dlls into its own memory and calls the ntdll functions through it using CreateFileW(), createFileMappingW(), MapViewOfFile() APIs. This technique can bypass hooks created by sandboxes and makes it more difficult to spot the malicious behavior.

 

6.png

Fig 5 - map ntdll to memory

 

The malware, while injecting into explorer, does not call the windows APIs involved directly. Instead, it uses a system call using INT 2E to carry out the functionality. User mode API logging won’t work in this case. This is sometimes an extra overhead for malware reverse engineers.

The code injected into explorer.exe further decrypts the actual payload. The final payload is a dll that is responsible for POS malicious activities.

 

8.png

Fig 6 - The dll has a string named “lock.pdb”.

 

The dll has a string named “lock.pdb”. It also contains the Command and Control (CnC) server list hard coded in its resource section. It can be used as part of a Yara-type signature for this malware variant along with the strings “chrome.exe”,”_x/update.php”.

 

9.png

Fig 7 - url’s in resource section

 

The malicious dll searches for credit card patterns in memory.

10.png

Fig 8 - malware code looks for credit card patterns

 

After stealing the data, the malware sends it to its CnC server using HTTP POST method.The user agent used is “lock”, and can be easily detected by a Snort-type rule.

 

11.png

Fig 9 - Http Request with User-Agent “lock”

 

List of CnC server:

https://bbbcleaner.at/_x/update.php

http://advertiseindonesiahot.xyz/_x/update.php

http://confirmationhaircutpsychology.xyz/_x/update.php

http://departmentmessagewasp.xyz/_x/update.php

http://retailerperiodicalsponge.xyz/_x/update.php

http://libraplasticapology.xyz/_x/update.php

http://illegalauthorizationcourt.xyz/_x/update.php

http://powdergoalship.xyz/_x/update.php

http://instructionsaluminiumroad.xyz/_x/update.php

http://estimatemimosalan.xyz/_x/update.php

http://nutobjectiveinvention.xyz/_x/update.php

http://differencejuicetaste.xyz/_x/update.php

http://increasestationcollar.xyz/_x/update.php

http://collarlimitbugle.xyz/_x/update.php

http://deliverystaircaseangle.xyz/_x/update.php

http://dayfatheropinion.xyz/_x/update.php

http://shampoodebtorguitar.xyz/_x/update.php

http://opinionpurchasebathroom.xyz/_x/update.php

http://growthpumpyacht.xyz/_x/update.php

http://decisionsnowmancod.xyz/_x/update.php

http://reportpestgallon.xyz/_x/update.php

http://competitionweaponjail.xyz/_x/update.php

http://myanmarhoodsignature.xyz/_x/update.php

http://inchpaymentvision.xyz/_x/update.php

http://smilejacketemployer.xyz/_x/update.php

http://costscousinphysician.xyz/_x/update.php

http://debtdoubleshop.xyz/_x/update.php

http://ptarmiganstockbottle.xyz/_x/update.php

http://smokepigeonpromotion.xyz/_x/update.php

http://bombapologystreetcar.xyz/_x/update.php

http://archeologysister-in-lawmarket.xyz/_x/update.php

http://colonyarchaeologyinstructions.xyz/_x/update.php

http://paymentfilewave.xyz/_x/update.php

http://objectiveswordfishorchid.xyz/_x/update.php

http://possibilityneedjennifer.xyz/_x/update.php

http://productglidinglynx.xyz/_x/update.php

http://grillpromotionpressure.xyz/_x/update.php

http://perchinterestdowntown.xyz/_x/update.php

http://companyresponsibilityshallot.xyz/_x/update.php

http://grassarmchairpreparation.xyz/_x/update.php

http://nickelreportaccountant.xyz/_x/update.php

http://descriptionbulldozerroast.xyz/_x/update.php

http://massforestopinion.xyz/_x/update.php

http://pancreasreportsnake.xyz/_x/update.php

http://donkeybillmexico.xyz/_x/update.php

http://pricemedicinejump.xyz/_x/update.php

http://summermosquemistake.xyz/_x/update.php

http://hyenadecisionblanket.xyz/_x/update.php

http://authorizationsharonneck.xyz/_x/update.php

http://competitioncrabquotation.xyz/_x/update.php

http://billwaterfallsoda.xyz/_x/update.php

http://coverapologyfeedback.xyz/_x/update.php

http://bucketbudgetplot.xyz/_x/update.php

http://chequeordersale.xyz/_x/update.php

http://shelfturnoverradish.xyz/_x/update.php

http://heattomatooffer.xyz/_x/update.php

http://geminikendocomparison.xyz/_x/update.php

http://costsfelonybumper.xyz/_x/update.php

http://israelseashoregoods.xyz/_x/update.php

http://ruthbudgetnetwork.xyz/_x/update.php

http://pricedogsquash.xyz/_x/update.php

http://armyindustrymail.xyz/_x/update.php

http://amountdebtorromania.xyz/_x/update.php

http://statisticcreekprofit.xyz/_x/update.php

http://salespressurelock.xyz/_x/update.php

http://commissionroadwaygirdle.xyz/_x/update.php

http://handlegumsalary.xyz/_x/update.php

http://apologytailorpelican.xyz/_x/update.php

http://selfdeliverynail.xyz/_x/update.php

http://permissionrhythmemery.xyz/_x/update.php

http://siamesefineknowledge.xyz/_x/update.php

http://cocktailtransportexistence.xyz/_x/update.php

http://danielheightreduction.xyz/_x/update.php

http://badgecupdifference.xyz/_x/update.php

http://grandmothernoveloffer.xyz/_x/update.php

http://billburglartablecloth.xyz/_x/update.php

http://timenoodlesuggestion.xyz/_x/update.php

http://ikebanadiscussionapology.xyz/_x/update.php

http://alloyimprovementterritory.xyz/_x/update.php

http://indexemployeecheese.xyz/_x/update.php

http://whipdifferencerecess.xyz/_x/update.php

http://tuneavenuecomparison.xyz/_x/update.php

http://copyretailerclose.xyz/_x/update.php

http://equipmentkicksaturday.xyz/_x/update.php

http://departmentrussianfall.xyz/_x/update.php

http://supportfaceoperation.xyz/_x/update.php

http://outputvacuumproperty.xyz/_x/update.php

http://koreankeycomparison.xyz/_x/update.php

http://alibitowerrepairs.xyz/_x/update.php

http://forkveilfall.xyz/_x/update.php

http://permissionhandmosque.xyz/_x/update.php

http://marketgreat-grandfatherkettle.xyz/_x/update.php

http://guaranteelistmichael.xyz/_x/update.php

http://budgethardcoverliver.xyz/_x/update.php

http://germanquotationconfirmation.xyz/_x/update.php

http://schooljapanesecustomer.xyz/_x/update.php

http://competitionstocksister.xyz/_x/update.php

http://budgetpaultrail.xyz/_x/update.php

http://anteaterimprovementgermany.xyz/_x/update.php

http://employerbatvietnam.xyz/_x/update.php

http://orderareateaching.xyz/_x/update.php

 

Detection:

Both Cyphort (now a Juniper Networks company) and Juniper Sky ATP detect LockPOS, as can be seen in the screenshots below.

12.png

Screen Shot 2018-01-10 at 11.30.38 AM.png

Thanks to Anoop Saldanhna and the rest of the threat research team for their help in writing this blog.

 

Top Kudoed Authors