The cybercrime history is going through a moment of accumulation of weapons in large arsenals; there is a buildup of massive cyber weapons in espionage operations, often attributed to nation-states. While some of these stockpiles yield almost cinematic stories, for example in the case of the Equation Group, there are also threats with more common purposes, such as those that target the theft of payment card data, but which are also based on amassing tools and malware in quantities which are as large as intelligence agencies.
In a routine analysis, members of Tempest’s Threat Intelligence team found a set of malware samples, which, at first glance, seemed to be linked to a traditional attack campaign against Brazilian merchants using Point of Sale (POS) systems. Bearing in mind that it is part of the attacker’s strategy to hide large operations in seemingly ordinary behaviour, the researchers went deep into the discovery and found a major operation, which, in four years, had maintained dozens of tools and hundreds of malware in its arsenal and had accumulated more than 1.4 million payment card data (credit, debit, food and meal cards).
Named by researchers at Tempest as HydraPOS, the fraudsters’ operation has several “heads”, which, at the beginning of the attacks, aimed only at stockpiling payment card data by exploiting supermarket systems. However, over the years, it has incorporated the collection of bank data and e-commerce access credentials into its criminal activity.
The HydraPOS operation is made up of several pieces of malware — found in hundreds of different builds and versions — and a handful of third-party and malware tools known as Kaptoxa — used in the attack against the large retailer Target in 2014 and also known as Trojan.POSRAM — and other malicious code hitherto unidentified or published by the industry.
Techniques for infection
The process of infection by HydraPOS is based on a vast scan, often involving the entire broadband service range of Brazilian telecommunications companies. This activity uses tools known as VNC-Scanner, or another for the same purpose, but developed by the threat actor. These tools search for commonly used remote access services (VNC, RDP, Radmin, and SSH) that are incorrectly configured or are based on outdated software versions. Targets identified at this stage are subjected to brute-force attacks to gain access to passwords or to exploit previously documented vulnerabilities. Depending on technical specificities, or other criteria, HydraPOS operators also use phishing attacks to infect victims.
In the merchant’s network
From the moment the attacker gains access to the victim’s computer, there are a variety of paths that HydraPOS operators can take to install new malware, extract data, and maintain persistence in the environment.
Connections to targets through remote administration tools by themselves allow for a series of operations, depending on the access privilege gained by the attacker.
In cases in which the infection vector occurs through phishing, a malicious file is sent to users, which, when activated, allows for the opening of a channel via Remote Desktop with administrative privileges, among other functionalities.
Depending on the characteristics of the environment, the logic present in the latest version of HydraPOS code defines which tools will be used to collect access credentials and payment card data. Researches had identified cases in which the data collection was based on Kaptoxa – malware active since 2013 and sold in darknet forums – which was developed to recognize and extract card data being processed in the memory of the computers at the time of transaction.
Although much of the communication in the process of a card transaction is encrypted, POS software naturally needs to decipher the information in the transaction authorization process. The memory-scraper malware type, such as Kaptoxa, is designed to identify which spaces in memory will be allocated with information of interest to the attacker. In this way, these malware wait for the space to be filled with the information of interest and save that data in files to be later sent to a command and control server.
It was found, through the analysis of more recent artefacts, that the memory scraping activity was later incorporated into the HydraPOS code, suggesting that, at some point, the use of Kaptoxa was abandoned or reduced.
HydraPOS operators also use other third-party malware to obtain target data. In the binary named “Track 2 sniffer.exe“, it was identified the Win32/Dexter (also called Poxters), which has keylogger and memory scraping functions.
Malware developed by the attacker himself are also used, such as the keylogger that uses the filename “pdv.exe”, the memory-scraper that uses the filename “explorer.exe” and the e-commerce credential collector that uses the filename “win.exe“.
Many of these malware send data to command and control servers. However, depending on the specificities of the victims’ infrastructure, this information could also be e-mailed or selected and retrieved remotely and on demand by the attacker.
Command and Control Servers (C&C)
Tempest’s Threat Intelligence team was able to identify seven servers in use by the attacker; part of these repositories stored 1,454,291 records of payment card data, which evidence pointed to an accumulation since 2015. The total number of stolen data can be much higher, since, through the investigation and intelligence work in open source data, evidence was found suggesting that HydraPOS operators have been active at least since 2013. The possibility of the data being collected on demand, or sent by e-mail also supports the thesis that fraudsters might have access to more information than those stored in their C&Cs.
Another part of the C&Cs contained the massive arsenal available to operators. Several versions of other artefacts have been identified, covering various distributions of legitimate use tools (such as those used for remote administration), brute-force attack mechanisms, and tools for collecting email addresses.
In addition, the repositories contained tools developed by HydraPOS operators to handle the large volume of information and targets, such as the “FindInfoTxt” — which classifies payment card data according to the service code, separating more valuable and larger cards limits, such as platinum cards, from others with less value — or the “Gerenciador Sitef”, which operates as a control panel to check status and send commands to infected machines.
Further details on the HydraPOS arsenal are available in the appendix below.
How to prevent attacks similar to HydraPOS
Operations such as HydraPOS take advantage of three failures that can be found in companies of all sizes, but which are very common in environments where computers are used for a minimum set of features, such as the supermarket checkouts:
- use of misconfigured remote administration tools,
- use of fragile passwords,
- absence of a security-oriented configuration pattern of the operating system and its applications.
In these environments, the more geographically dispersed the stores are, the more necessary it is to use tools for remote administration such as VNC, Remote Desktop or Radmin. On many occasions, access to the machines is made by a large number of employees, sometimes outsourced, and with a high turnover level. Thus, the password setting for remote administration tools, when it exists, is often made for the rapid absorption of the teams. The result is the definition of fragile passwords, shared among all support analysts and easily identified by brute-force tools.
To avoid this scenario, it is important to choose remote access solutions that centrally allow for the granting and revocation of access for each support analyst, thus avoiding the sharing of passwords between people. It is also important to adopt two-factor authentication solutions, not only depending on the user and password to access network resources, but also on other factors such as tokens, biometrics, etc.
As important as setting standards for the use of passwords and other authentication mechanisms, it is essential to maintain up-to-date systems and establish standards for the configuration of all machines. Updates should not be limited to the operating system, but they need to cover all other applications, and the standards should cover all configurations to make them more secure.
In addition, it is important that all employees be trained on how to identify suspicious messages, common to phishing attacks. There are several ways to train users about it, like educational phishing platforms to train employees regarding the fact that this is one of the most common threats in the world.
Appendix and Indicators of Compromise
Below some tools and artefacts are described, as well as indicators related to HydraPOS
Legitimate remote administration tools used by attackers:
- RealVNC: Client / Server VNC.
- ThighVNC: Client / Server VNC.
- NVNC: Server VNC.
- Ammyy: Client / Server for remote administration.
- Bitvise: Client / Server SSH.
Malicious tools developed by third parties:
- VNC-Scanner: scan tool that searches for vulnerable VNC machines and exploits vulnerabilities in this service.
- Fast RDP Brute: tool used in brute-force attacks to obtain access credentials on RDP systems.
- VUBrute: tool used in brute-force attacks to obtain access credentials on VNC systems.
- DUBrute: tool used in brute-force attacks to obtain access credentials on RDP systems.
- LameScan: tool used in brute-force attacks to obtain access credentials on Radmin systems.
- Advanced IP Scanner: network scanner and Trojan installer on RDP and Radmin systems.
- Sanmao Email Collector: collector of email addresses on websites.
- Sanmao Email Scraper: collects email addresses in search tools.
- Sanmao SMTP Mail Cracker: tool used in brute force attacks for email.
Tools developed by HydraPOS operators:
FindInfoTxt: tool to classify card data according to the Service Code, extract BINs (Bank Identification Number) and delete repeated tracks. No detection by VirusTotal.
- MD5: 3d05a4d2ddf9fa1674579b15d5980c26
- SHA1: 24ce8ff328b44658f0db21dac25f109c57eeea5e
- SHA256: d88b82e936adf47778826dd23886c9288e807f389a242bfb5a0f6e4fdc8674ac
Gerenciador Sitef: control panel for real-time visualization of infected merchants’ computers. It also sends commands to the infected machines. No detection by VirusTotal.
LRemoto: tool that allows the infected computer to connect and download other malware components or updates. No detection by VirusTotal.
Scanner: scan tool that identifies IP addresses that are running VNC and RDP services. It also has brute-force functionality. No detection by VirusTotal.
Windows Explorer: tool for sending SPAM. No detection by VirusTotal.
Olhar: tool that manages a list of infected computers. Detection ratio in VirusTotal: 5/63.
- MD5: e284a2aac9ad1523564aecc11f6c0680
- SHA1: 6483934ce8363694e81eec473adaa29a0905e601
- SHA256: d0cd4a6b01ce81ec8030fbb5b4de9437106a276602cbd590b5680ee3e0212aa8
- Kaptoxa: memory-scraper malware
- Win32 / Dexter: keylogger and memory-scraper
Malware developed by HydraPOS operators:
Adobe.exe: Payment card data collector and e-commerce credentials. No detection by VirusTotal.
- MD5: bd0aca51fbde462328cafab83dd9d619
- SHA1: b9a2c27b9e72c6ee38927f2a8ba9bf20725dbffc
- SHA256: 8709cc4ee0a0c3040a173f58521dda0fe436af7e0fbb69f59169cebbf3c1ddac
pdv.exe: keylogger. No detection by VirusTotal.
- MD5: 8c745dd89a6de372a49fe9faa6d614a2
- SHA1: 7d1d7a490ba1362d90dc569d2471af56b38ac8b0
- SHA256: 5bf208da4e4bb3a1c6403f370badb30f50ffc0d26b11744bb66d3450a68e51fd
explorer.exe: memory scraping malware. Detection ratio in VirusTotal: 29/63.
- MD5: d4127862bf705de3debbdbce99b70bed
Win.exe: kkeylogger and payment card data collector and e-commerce credentials. Detection ratio in VirusTotal: 19/63.
- MD5: ba07fbcd7f2a12957e81939bb88d2a6b
- SHA1: 0b2cf34b1af46607e19a18ddac9b2fefcb29eca1
- SHA256: 2f1442c01baa1cfcc64c96802707a5d7ac16891c7e2fbbc4f3f863d19f64476e
Anexo Pdf(167371371).exe: used to download and activate another malware. Detection ratio in VirusTotal: 32/63.
- MD5: 8b0fb09fb1ed82a88e9e5f1e69823afa
- SHA1: 3d28362bde5f1e99131a2107df80462a58fa00f7
- SHA256: 2a2af38cbfa51d56aa7bebb357825d8e661a532e043ef614bf9c473df6a8e8b8
- 66[.]220[.]9[.]50 — Port: 21/TCP
- 216[.]244[.]71[.]135 — Port: 1/TCP
- 216[.]244[.]95[.]10 — Ports: 1 and 7
- hxxp://m4godoc .esy.es
- hxxp://envioip .esy.es
- hxxp://infectbbb .esy.es
- hxxp://www.gidlinux .ninja