New version of the malware delivered with faulty obfuscation

Oct 16, 2014 09:56 GMT  ·  By

A new variant of the FrameworkPOS malware affecting point-of-sale (POS) systems has been discovered to rely on DNS requests to deliver stolen card data to the attackers.

The malware, which is believed to have been used in the Home Depot data breach incident that leaked details of 56 million payment cards, has evolved into a new version that encodes the data communicated through a DNS request, using the scheme encoded_data.domain.com.

Attackers use three requests to get the info

G Data has performed an analysis of the new version and found that the attacker uses three different requests for getting information.

With one of them, the cybercriminals receive details about the IP address of the infected machine as well as its host name.

Another is used for identifying the name of the process when a card number is found in the memory of the compromised system.

A third request gives them access to the details available before and after the separator “=” for the data in the memory.

Paul Rascagneres of G Data explains in a blog post that FrameworkPOS uses the getaddrinfo() for the DNS query. Depending on the operating system running on the infected machine, the function is either for Ws2_32.dll or for Wship6.dll (for IPv6 support for Windows 2000).

Faulty obfuscation technique, XOR is applied twice

After compromising the POS system, the attacker can control the malware by issuing commands for installation, uninstall, starting, or stopping its service.

Another option is “Setd,” which is used for setting the domain used for extracting the info collected from the machine, a goal achieved during the malware installation process.

Rascagneres notes that the domain is not hardcoded in the sample, and because of this finding the domain in a sample database is not possible. Uncovering it, however, can be done by analyzing the registry of the machine.

The security researcher has noticed that the malware author tried to obfuscate multiple strings in the binary, but failed miserably since the XOR (exclusive or) cipher was applied twice, and by doing so, obfuscation was no longer achieved. XOR relies on a simple algorithm that can be broken easily using a constant repeating key.

“The exclusive-or operation takes two inputs and returns a 1 if either one or the other of the inputs is a 1, but not if both are. That is, if both inputs are 1 or both inputs are 0, it returns 0,” explains Alex Allain from Dropbox in a tutorial for bitwiser operators.

As such, applying XOR twice results in the original message not being changed at all.