MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. SummaryDescriptionThis report is a update to NCCIC report MAR-10201537.r1.v1, published Nov 8, 2018, and contains additional information related to two XCOFF executables identified in the original report as non-malicious:SHA256:10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0ebaca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86cFurther analysis indicates these files are malicious. Once injected into the memory space of legitimate processes, these applications have the ability to modify ISO 8583 transaction data, an International Communications Protocol used for exchanging ATM card transaction requests and responses, resulting in fraudulent ATM withdrawals.Analysis of the remaining artifacts has not been modified, and includes the following:Three (3) additional XCOFF executable files, one of which may have been used to inject the malware described above into the memory space of a targeted server.One (1) ASCII Log file, possibly created by the use of the XCOFF injector (b3efec…)Two (2) versions of a Themida packed proxy service module, both Windows executables: one 32-bit and one 64-bit. This malware has the ability to modify local firewall settings & listen for Incoming traffic.One (1) Remote access Trojan (RAT), with the ability to modify firewall settings, accept remote commands, install proxy services, install & run additional malware payloads & exfiltrate data.One (1) 64-bit installer application; payload associated with this installer was not available for analysis. For a downloadable copy of IOCs, see: Files (12)10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba (Lost_File.so) 1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d (Unpacked_dump_4a740227eeb82c20...) 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c (Lost_File1_so_file) 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 (4f67f3e4a7509af1b2b1c6180a03b3...) 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 (5cfa1c2cb430bec721063e3e2d144f...) 9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26 (Unpacked_dump_820ca1903a305162...) a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc (8efaabb7b1700686efedadb7949eba...) ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 (d0a8e0b685c2ea775a74389973fc92...) ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c (2.so) d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee (Injection_API_executable_e) e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 (Injection_API_log_generating_s...) f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2 (inject_api) IPs (1)75.99.63.27 Findings820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6Tagsbackdoorproxytrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Process List
DescriptionThis application is a Themida packed 32-bit Windows executable. This application is designed to unpack and execute a service proxy module in memory (5c0a4f9e67ced69eaea17092444b2c1a).Analysis indicates that this proxy module is designed to accept command-line parameters to perform its functions. The module is designed to modify the Windows Firewall on the victim’s machine to allow for incoming connections and to force the compromised system to function as a proxy server. The proxy module uses the following command to open the Windows Firewall port on the victim’s machine in order to allow for incoming connections:--Begin firewall modification--"netsh firewall add portopening TCP <port> RPCServer"--End firewall modification--The malware is designed to listen to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions: -Retrieve information about the logon sessions, drives installed, and operating system -Search for files -Execute process -Terminate processes -Delete files -Execute command -Download and upload files -Read files and write files-Compress and decompress filesThis malware used the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols: -POP3 -SMTP -IMAP -LDAP -DICT -FTP -HTTP -HTTPS 9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26Tagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
DescriptionThis file is the unpacked version of 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.Displayed below are strings of interest for this unpacked proxy module:--Begin strings of interest--httplibcurl/7.49.1%s:%d%255[^:]:%d:%255s%255[^:]:%d<no protocol>%I64u-ALL_PROXYall_proxyhttp_proxy_proxyNO_PROXYno_proxy%s://%s%s%s:%hu%s%s%s;type=%c[%*45[0123456789abcdefABCDEF:.]%cftp@example.comanonymous%s%s%sUser-Agent: %sSet-Cookie:RELOADFLUSHSESSidentitysockssocks4socks4asocks5socks5hpop3POP3.smtpSMTP.IMAPIMAP.LDAPLDAP.DICTDICT.FTP./?]%[^%15[^:]://%[^/?]%[^file%15[^:]:%[^%s://%sFALSETRUE#HttpOnly_expiresmax-ageversiondomainpathhttponlysecure%1023[^;=] =%4999[^;%s%s%s%I64dunknown# Fatal libcurl error# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.none[%s %s %s]fromHeaderDatahost!0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil).%ld0123456789%d.%d.%d.%dHTTP%sAuthorization: Basic %sProxy-%s:%sBasicAuthorization:Proxy-authorization:DigestNTLMHTTP/Expect: 100-continue100-continueExpect:ConnectionContent-LengthContent-Type:Host:If-Modified-Since: %sIf-Unmodified-Since: %sLast-Modified: %s%s, %02d %s %4d %02d:%02d:%02d GMTContent-Type: application/x-www-form-urlencodedContent-Length: 0Content-Length: %I64dContent-Length:%s%s%s%s=%sCookie:%s HTTP/%s%s%s%s%s%s%s%s%s%s%sftp://%s:%s@%sContent-Range: bytes %s/%I64dContent-Range: bytes %s%I64d/%I64dContent-Range: bytes 0-%I64d/%I64dContent-Range:Range: bytes=%sRange:Host: %s%s%s:%huHost: %s%s%sAccept: */*Accept:;type=ftp://Transfer-Encoding: chunkedchunkedTransfer-Encoding:Accept-Encoding: %sAccept-Encoding:Cookie:Referer: %sReferer:User-Agent:POSTHEADLocation:Proxy-authenticate:WWW-Authenticate:Last-Modified:Content-Encoding:x-gzipgzipdeflateConnection:closeProxy-Connection:keep-aliveServer:RTSP/%d.%d %3dHTTP %3dHTTP/%d.%d %d%hu.%hu.%hu.%huHTTP/1.%d %dCONNECT %s HTTP/%s%s%s%sHost: %s%s%s%s:%huCONNECT%s:%hudefaultmachinepasswordlogin_netrcHOMEc%c==%c%c%c=%c%c%c%capplication/xml.xmltext/html.htmltext/plain.txt.jpegimage/jpeg.jpgimage/gif.gif; filename="%s"------------------------%08x%08x--%s----%s--Content-Type: %s--%sContent-Disposition: attachmentContent-Type: multipart/mixed; boundary=%sContent-Disposition: form-data; name="--%s%s; boundary=%sContent-Type: multipart/form-dataOut of memoryBad content-encoding foundWrite errorMalformed encoding foundIllegal or missing hexadecimal sequenceToo long hexadecimal number%02xauth-intauth%08x%08x%08x%08x%s, algorithm="%s"%s, opaque="%s"username="%s", realm="%s", nonce="%s", uri="%s", response="%s"username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"%s:%s:%08x:%s:%s:%sd41d8cd98f00b204e9800998ecf8427e%s:%s:%sMD5-sessalgorithmopaquerealmtruestalenonceNTLMSSPNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%sNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%cKGS!@#$%%c%c%c%cout of memory1.2.8internal error: deflate stream corruptrequested length does not fit in intdeflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler1.2.8--End strings of interest-- 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756Tagsbackdoorproxytrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Process List
DescriptionThis application is a Themida packed 64-bit Windows executable. This application is designed to unpack and execute a service proxy module in memory (02959903cd988443e5ef519d556b34b0).Analysis indicates that this proxy module is designed to accept command-line parameters to perform its functions. The module is designed to modify the Windows Firewall on the victim’s machine to allow for incoming connections and to force the compromised system to function as a proxy server.The proxy module uses the following command to open the Windows Firewall port on the victim’s machine in order to allow for incoming connections:--Begin firewall modification--"netsh firewall add portopening TCP <port> RPCServer"--End firewall modification--The malware is designed to listen to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions: -Retrieve information about the logon sessions, drives installed, and operating system -Search for files -Execute process -Terminate processes -Delete files -Execute command -Download and upload files -Read files and write files-Compress and decompress filesThis malware used the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols: -POP3 -SMTP -IMAP -LDAP -DICT -FTP -HTTP -HTTPS 1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6dTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
DescriptionThis file is the unpacked version of 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.Displayed below are strings of interest for this unpacked proxy module:--Begin strings of interest--httplibcurl/7.49.1%s:%d%255[^:]:%d:%255s%255[^:]:%d<no protocol>%I64u-ALL_PROXYall_proxyhttp_proxy_proxyNO_PROXYno_proxy%s://%s%s%s:%hu%s%s%s;type=%c[%*45[0123456789abcdefABCDEF:.]%cftp@example.comanonymous%s%s%sUser-Agent: %sSet-Cookie:RELOADFLUSHSESSidentitysockssocks4socks4asocks5socks5hpop3POP3.smtpSMTP.IMAPIMAP.LDAPLDAP.DICTDICT.FTP./?]%[^%15[^:]://%[^/?]%[^file%15[^:]:%[^%s://%sFALSETRUE#HttpOnly_expiresmax-ageversiondomainpathhttponlysecure%1023[^;=] =%4999[^;%s%s%s%I64dunknown# Fatal libcurl error# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.none[%s %s %s]fromHeaderDatahost!0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil).%ld0123456789%d.%d.%d.%dHTTP%sAuthorization: Basic %sProxy-%s:%sBasicAuthorization:Proxy-authorization:DigestNTLMHTTP/Expect: 100-continue100-continueExpect:ConnectionContent-LengthContent-Type:Host:If-Modified-Since: %sIf-Unmodified-Since: %sLast-Modified: %s%s, %02d %s %4d %02d:%02d:%02d GMTContent-Type: application/x-www-form-urlencodedContent-Length: 0Content-Length: %I64dContent-Length:%s%s%s%s=%sCookie:%s HTTP/%s%s%s%s%s%s%s%s%s%s%sftp://%s:%s@%sContent-Range: bytes %s/%I64dContent-Range: bytes %s%I64d/%I64dContent-Range: bytes 0-%I64d/%I64dContent-Range:Range: bytes=%sRange:Host: %s%s%s:%huHost: %s%s%sAccept: */*Accept:;type=ftp://Transfer-Encoding: chunkedchunkedTransfer-Encoding:Accept-Encoding: %sAccept-Encoding:Cookie:Referer: %sReferer:User-Agent:POSTHEADLocation:Proxy-authenticate:WWW-Authenticate:Last-Modified:Content-Encoding:x-gzipgzipdeflateConnection:closeProxy-Connection:keep-aliveServer:RTSP/%d.%d %3dHTTP %3dHTTP/%d.%d %d%hu.%hu.%hu.%huHTTP/1.%d %dCONNECT %s HTTP/%s%s%s%sHost: %s%s%s%s:%huCONNECT%s:%hudefaultmachinepasswordlogin_netrcHOMEc%c==%c%c%c=%c%c%c%capplication/xml.xmltext/html.htmltext/plain.txt.jpegimage/jpeg.jpgimage/gif.gif; filename="%s"------------------------%08x%08x--%s----%s--Content-Type: %s--%sContent-Disposition: attachmentContent-Type: multipart/mixed; boundary=%sContent-Disposition: form-data; name="--%s%s; boundary=%sContent-Type: multipart/form-dataOut of memoryBad content-encoding foundWrite errorMalformed encoding foundIllegal or missing hexadecimal sequenceToo long hexadecimal number%02xauth-intauth%08x%08x%08x%08x%s, algorithm="%s"%s, opaque="%s"username="%s", realm="%s", nonce="%s", uri="%s", response="%s"username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"%s:%s:%08x:%s:%s:%sd41d8cd98f00b204e9800998ecf8427e%s:%s:%sMD5-sessalgorithmopaquerealmtruestalenonceNTLMSSPNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%sNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%cKGS!@#$%%c%c%c%cout of memory1.2.8internal error: deflate stream corruptrequested length does not fit in intdeflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler1.2.8--End strings of interest-- ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629Tagsremote-access-trojantrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Process List
Relationships
DescriptionThis application is a 32-bit Windows executable. This application is designed to execute as a service named "helpsvcs." The application utilizes the Rivest Cipher 4 (RC4) encryption algorithm to encrypt configuration data and stores a four-byte data (unique identifier), RC4 key, and the encrypted configuration data into the following registry:--Begin registry key--hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data1"ValueData = "Encrypted configuration data"hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\PVS\Security"ValueName = "Data1"ValueData = "Encrypted configuration data"--End registry key--Displayed below is the RC4 key for encrypting and decrypting the configuration data:--Begin RC4 key--11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00--End RC4 key--Displayed below is the hard-coded configuration data, which contains command and control (C2) information:--Begin hard-coded configuration data--FF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B ===> 75.99.63.2700 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 00 ===> port 44300 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 0000 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 0000 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00FF 04 00 07 00 00 00 00 FD--End hard-coded configuration data--Displayed below is the data stored in the registry including the four byte data (unique identifier), RC4 key, and the encrypted configuration data:--Begin configuration data--10 00 20 00 ==> four bytes data (unique identifier)11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ===> RC4 keyFF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B ===> configuration00 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 0000 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 0000 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 0000 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00FF 04 00 07 00 00 00 00 FD--End configuration data--The malware is designed to encrypt a payload from the remote operator using the following hard-coded RC4 key.--Begin hard-coded RC4 key--53 87 F2 11 30 3D B5 52 AD C8 28 09 E0 52 60 D0 6C C5 68 E2 70 77 3C 8F 12 C0 7B 13 D7 B3 9F 7C--End hard-coded RC4 key--The encrypted payload is installed into the following registry key:--Begin registry key--hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data0"ValueData = "Encrypted payload"--End registry key--The malware uses the following command to open the Windows Firewall port on the victim’s machine in order to allow incoming connections:--Begin firewall modification--"netsh firewall add portopening TCP 443 "Windows Firewall Remote Management""--End firewall modification--The malware binds and listens on port 443 for incoming connections from a remote operator. No outbound connection was observed during analysis. Static analysis indicates that the malware is capable of providing remote command and control capabilities, including the ability to exfiltrate data, install and run secondary payloads, and provide proxy services on a compromised system. The malware utilizes the RC4 encryption algorithm to encrypt/decrypt a portion of its communications data to and from the remote operator.Following is a list of the types of data exfiltrated by the malware, to include the victim's system information and the malware data: - network adapter information - computer name - username - systems Internet Protocol (IP) address - hard-coded value (00 00 00 04h) - current directory of the malware - %Current directory%\malware.exe - hard-coded value (01h) - hard-coded value "PVS" - the victim's operating system information - installed drives information - the current system timeDisplayed below are additional functions the malware performs based on specified commands from the remote operator: -Retrieve information drives installed -Search for files -Execute processes -Terminate processes -Delete files -Execute commands -Download and upload files -Read files and write files -Compress and uncompress files -Change the listening port for Remote Desktop via registry modification a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafcTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Process List
DescriptionThis application is a malicious 64-bit Windows Dynamic Link Library (DLL), designed to run as a Windows service under Windows "svchost.exe." When executed, it searches and attempts to load and RC4-decrypt a payload from the following registry into memory:--Begin registry key--hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data0"hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data2"--End registry key--The binary that installs the encrypted payload in the registry was not available for analysis. 75.99.63.27Ports
WhoisDomain Name: optonline.netRegistry Domain ID: 4531660_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdated Date: 2016-06-08T16:38:21ZCreation Date: 1996-10-07T04:00:00ZRegistrar Registration Expiration Date: 2018-10-06T04:00:00ZRegistrar: GoDaddy.com, LLCRegistrar IANA ID: 146Registrar Abuse Contact Email: abuse@godaddy.comRegistrar Abuse Contact Phone: +1.4806242505Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibitedDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibitedDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibitedRegistrant Organization: Cablevision Systems CorporationRegistrant State/Province: New YorkRegistrant Country: USName Server: AUTHNS1.CV.NETName Server: AUTHNS1.CVNET.COMDNSSEC: signedDelegationURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/>>> Last update of WHOIS database: 2018-05-22T21:00:00Z <<< Relationships
d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27eeTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
Relationships
DescriptionThis file is an AIX (Advanced Interactive Executive) executable, intended for a proprietary UNIX operating system developed by IBM. This application is designed to inject a library into a currently running process. Figure 1 contains a screenshot of strings of interest. The strings indicate the application is a command-line utility enabling an operator to easily conduct code injection on an IBM AIX platform. Analysis indicates this application logs it usage to a log file (Figure 2). Screenshots
Figure 1 - Figure 2 - 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594cTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
DescriptionThis file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. This file is a library application designed to provide export functions, which allows an application to perform transactions on financial systems using the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 3 and Figure 4. Screenshots
Figure 3 - Figure 4 - e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8Tagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
Relationships
DescriptionThe file appears to be a log file generated by the usage of the application Inject API executable_e (b3efec620885e6cf5b60f72e66d908a9). The data contained in the log file is displayed in Figure 5, 6 and 7. Screenshots
Figure 5 - Figure 6 - Figure 7 - f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2Tagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
DescriptionThis file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. Figure 8 displays strings of interest. The strings contained within the file indicate it is a command-line utility. The file is designed to update a proprietary data structure on a UNIX system known as "PVPA." The code structure in Figure 9, extracted from this application, attempts to perform a raw read of this data structure from memory. Screenshots
Figure 8 - Figure 9 - ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86cTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
DescriptionThis file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. The application provides several exported methods permitting the interaction with financial systems that utilize the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 10 and Figure 11. This application is malicious in nature. It provides similar capabilities to hijack and return fraudulent ATM financial query responses as those provided by the malware 10AC312C8DD02E417DD24D53C99525C29D74DCBC84730351AD7A4E0A4B1A0EBA. Screenshots
Figure 10 - Generating random cash amount for fraudulent financial transaction. Figure 11 - Figure 12 - 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0ebaTagstrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
DescriptionThis file is a UNIX Common Object File Format (COFF) executable, a format for executable, object code, and shared libraries used on UNIX systems. The executable provides several exported methods permitting the interaction with financial systems that utilize the ISO8583 standard. This applications is malicious in nature and appears to have been utilized in the life cycle of an attack against ATM systems. Analysis of this library indicates it is designed to hijack queries from ATM systems to back end banking systems and generate fraudulent responses. The three primary functions responsible for generating these fraudulent responses are:GenerateResponseTransaction1GenerateResponseInquiry1GenerateResponseTransaction2These functions piece together the data structure used to generate ATM transaction responses. Screenshots of a section of code from the function GenerateResponseTransaction1 is attached to this document. As this screenshot illustrates, the malware generates a random cash amount which is then placed in the data structure. Analysis indicates this application also provides the capability to block certain financial transactions. These blocked transactions will be logged to a log file in the format: Blocked Message(msg=%04x, term=%02x, pcode=%06x, pan=%s) Screenshots
Figure 13 - Malware generating random cash amount for fraudulent financial transaction data structure. Figure 14 - Malware logging block financial transactions. Figure 15 - Functions responsible for create fraudulent financial transaction responses. Relationship Summary
RecommendationsNCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops. Contact Information
NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov. Can I submit malware to NCCIC? Malware samples can be submitted via three methods:
NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov. |
Revisions
October 2, 2018: Initial version|December 21, 2018: Added IOCs
This product is provided subject to this Notification and this Privacy & Use policy.