FighterPOS – DIY Malware

August 8, 2015

I would first like to credit TrendMicro with their initial research on FighterPOS. There have been an emegerence of new domains for FighterPOS recently and I discovered a whole load of other possible domains that could be used for the command and control. This particular peice of malware uses a open source VB6 peice of malware called ‘vnLoader’. The author of FighterPOS has either got himself or asked someone else to create a modified version to use as POS malware.

A correlation of all the panel domains is that they have no index in most directories, you can wade through most of the website without any problems allowing me to discover some differences to vnLoader and some strange pages. vnLoader was littered with SQL injections allowing anyone to take control of a panel easily. It seems the malware owner has fixed this or the hosting providers WAF is working well.

aDropboxUploader is a strange modification to make, uploading either the keylogging files or the card dumps to dropbox seems like a risky move for a criminal to make, but this is available in all live panels of FightPOS I’ve seen. At the root of the domain there is an upload folder, within it is the executables most likely used as updates.

bThe keylog files were not encrypted and allowed me to see who was infected. Many of the keylogging files were mostly useless. The keylogger functionality in the bot itself is poor, but here we see that application names and other interesting things are captured. Like the TrendMicro whitepaper suggests, Brazil is where most of the infections are from. The logs as we can see from the top of the picture include [K] to signify it’s from the keylogger and the PC name and ID of the computer from infection.cIn this picture it shows that a store in an airport has been infected. There’s nothing else really to say here, just thought it was quite interesting that it was in an airport.

e

The login is mostly unchanged from vnLoader but I haven’t seen vnLoader in while so I didn’t suspect anything at this time and simply thought it was a custom built panel for POS malware. I had found some open directories but nothing had signified vnLoader fully yet.

fThen I discovered the images directory and looked into it, I found that logo.png allowed me to identify the open source botnet ‘vnLoader’ was used in some way.

gFrom here I decided to compare what was different in the various open directories to try and see how modified this was. There were two new PHP files called CryptCom.php and botlist_backup.php. botlist_backup.php either requires a login or the correct parameters, botlist_backup.php is obviously not called in the malware and so I was unable to see the functionality for that page.

hAnother file I found was count.php which was only used on what seemed to be older versions of the panel, the functionality by a guess seems to count the lines from upload (where keylogs and card dumps go to) and count how many there are. It seems it was only designed for one panel which allowed this error, providing me more information on other panels.

kI had a little go myself with counting how many keylogs and dumps there were, another try on a different panel resulted in 200+

lOnto the binaries. When I was writing applications I noticed how hard it was to catch every exception in VB6, exceptions can crash the program if not dealt correctly with in VB6. Crashes can give the user some form of suspicion, whatever message or logo you put on it. (Automation Error made me chuckle 🙂 )

mInside the VB6 file is another executable, I always check first in the resources section of a malicious application as some try to hide like this has, valuable information. The MZ and other parts of the hex identify well that this is indeed another exe. DUMPSCANNER seems like a weird name to a resource but it isn’t, this is used to check processes and find card data or “dumps”.

nVery easy to identify that it’s VB5-6 due to the strings _vb calling various internal libraries that VB has. This allowed me to see the code in a different pseudo like form. Although the code was not complete, it gives me better insight on what the programs functionality was.

oThe malicous exe checks your operating system with winmgmts which is a fairly generic way of doing so, they also use the same method to find information about the logical disk.

p

It also wishes to check if you’re an administrator and uses virtually the same code as this found on activeexperts.com

strComputer = "atl-win2k-01"
Set colGroups = GetObject("WinNT://" & strComputer & "")
colGroups.Filter = Array("group")
For Each objGroup In colGroups
    For Each objUser in objGroup.Members
        If objUser.name = "kenmyer" Then
            Wscript.Echo objGroup.Name
        End If
    Next
Next

There is a statically named folder for keylogging files in the systemroot, roughly translates to “my files” the use of VB6 libraries are used to create the directory. Can be easily picked up by an AV with behaviour analysis, no reason for a program to create a new folder in system root called my files. The keylogging files are also put into the temp directory, presumably due to there being a possibility of not having the rights to write in that folder. Virtually the same code as vnLoader.

rThe startup for the VB6 peice of malware is nothing special, it becomes noisy as they add a large amount of things to startup. To avoid the hassles of registry in VB6 and exceptions, the author decides to use cmd to do this operation.

tAs we can see the startup is littered with various operations for this peice of malware, anyone with any experience in analysing malware could determine that indeed this was a malicous threat , it gives some interesting insight in where the applications are loaded.

u

When the applications startup they do not clash (We can see multiple InternetExplorer entries in the registry, this is due to the mutex ability that vnLoader provides. Most of the code in the first exe is largely unchanged and very old. If anything this threat shows how poor POS security really is, this code is open source, generic and is written in an old language. v

The dump scanner utilises threads and scans through all processes with the VM_Read right, although I hadn’t worked out how it fed this back to the main application. It goes through all the processes with common API’s like Process32First and Process32Next.

xOne thing to note from all of this is the backup domains. I looked at these unicode strings and found they were either current or future C&C’s.

yThese are used in a switch case in which I presume they are backups. What’s funny is that the .biz is taken but the others have not been. I don’t think it’s wise for a malware author to assume he will have these domains. I’ve registered the 01.xyz variation to attempt to sinkhole, although they could update the exe at anytime.

z

Domains currently tracked:

poiuytre.org

poiuytre.org

lkjhgfdsa.xyz

lkjhgfdsa01.xyz

lkjhgfdsa02.xyz

lkjhgfdsa03.xyz

lkjhgfdsa04.xyz

lkjhgfdsa05.xyz