HydraPOS — Operation of Brazilian fraudsters has accumulated, at least, 1.4 million card data

Fraud scheme went unnoticed for four years, targeting several merchants in Brazil

The cybercrime history is going through a moment of accumulation of weapons in large arsenals; there is a buildup of massive cyber weapons in espionage operations, often attributed to nation-states. While some of these stockpiles yield almost cinematic stories, for example in the case of the Equation Group, there are also threats with more common purposes, such as those that target the theft of payment card data, but which are also based on amassing tools and malware in quantities which are as large as intelligence agencies.

In a routine analysis, members of Tempest’s Threat Intelligence team found a set of malware samples, which, at first glance, seemed to be linked to a traditional attack campaign against Brazilian merchants using Point of Sale (POS) systems. Bearing in mind that it is part of the attacker’s strategy to hide large operations in seemingly ordinary behaviour, the researchers went deep into the discovery and found a major operation, which, in four years, had maintained dozens of tools and hundreds of malware in its arsenal and had accumulated more than 1.4 million payment card data (credit, debit, food and meal cards).

Named by researchers at Tempest as HydraPOS, the fraudsters’ operation has several “heads”, which, at the beginning of the attacks, aimed only at stockpiling payment card data by exploiting supermarket systems. However, over the years, it has incorporated the collection of bank data and e-commerce access credentials into its criminal activity.

The HydraPOS operation is made up of several pieces of malware — found in hundreds of different builds and versions — and a handful of third-party and malware tools known as Kaptoxa — used in the attack against the large retailer Target in 2014 and also known as Trojan.POSRAM — and other malicious code hitherto unidentified or published by the industry.

Techniques for infection

The process of infection by HydraPOS is based on a vast scan, often involving the entire broadband service range of Brazilian telecommunications companies. This activity uses tools known as VNC-Scanner, or another for the same purpose, but developed by the threat actor. These tools search for commonly used remote access services (VNC, RDP, Radmin, and SSH) that are incorrectly configured or are based on outdated software versions. Targets identified at this stage are subjected to brute-force attacks to gain access to passwords or to exploit previously documented vulnerabilities. Depending on technical specificities, or other criteria, HydraPOS operators also use phishing attacks to infect victims.

In the merchant’s network

From the moment the attacker gains access to the victim’s computer, there are a variety of paths that HydraPOS operators can take to install new malware, extract data, and maintain persistence in the environment.

Connections to targets through remote administration tools by themselves allow for a series of operations, depending on the access privilege gained by the attacker.

In cases in which the infection vector occurs through phishing, a malicious file is sent to users, which, when activated, allows for the opening of a channel via Remote Desktop with administrative privileges, among other functionalities.

Example of phishing message used by HydraPOS

Depending on the characteristics of the environment, the logic present in the latest version of HydraPOS code defines which tools will be used to collect access credentials and payment card data. Researches had identified cases in which the data collection was based on Kaptoxa - malware active since 2013 and sold in darknet forums - which was developed to recognize and extract card data being processed in the memory of the computers at the time of transaction.

Although much of the communication in the process of a card transaction is encrypted, POS software naturally needs to decipher the information in the transaction authorization process. The memory-scraper malware type, such as Kaptoxa, is designed to identify which spaces in memory will be allocated with information of interest to the attacker. In this way, these malware wait for the space to be filled with the information of interest and save that data in files to be later sent to a command and control server.

It was found, through the analysis of more recent artefacts, that the memory scraping activity was later incorporated into the HydraPOS code, suggesting that, at some point, the use of Kaptoxa was abandoned or reduced.

HydraPOS operators also use other third-party malware to obtain target data. In the binary named "Track 2 sniffer.exe", it was identified the Win32/Dexter (also called Poxters), which has keylogger and memory scraping functions.

Malware developed by the attacker himself are also used, such as the keylogger that uses the filename "pdv.exe", the memory-scraper that uses the filename "explorer.exe" and the e-commerce credential collector that uses the filename "win.exe".

Many of these malware send data to command and control servers. However, depending on the specificities of the victims' infrastructure, this information could also be e-mailed or selected and retrieved remotely and on demand by the attacker.

Command and Control Servers (C&C)

Tempest’s Threat Intelligence team was able to identify seven servers in use by the attacker; part of these repositories stored 1,454,291 records of payment card data, which evidence pointed to an accumulation since 2015. The total number of stolen data can be much higher, since, through the investigation and intelligence work in open source data, evidence was found suggesting that HydraPOS operators have been active at least since 2013. The possibility of the data being collected on demand, or sent by e-mail also supports the thesis that fraudsters might have access to more information than those stored in their C&Cs.

Another part of the C&Cs contained the massive arsenal available to operators. Several versions of other artefacts have been identified, covering various distributions of legitimate use tools (such as those used for remote administration), brute-force attack mechanisms, and tools for collecting email addresses.

In addition, the repositories contained tools developed by HydraPOS operators to handle the large volume of information and targets, such as the “FindInfoTxt” — which classifies payment card data according to the service code, separating more valuable and larger cards limits, such as platinum cards, from others with less value — or the “Gerenciador Sitef”, which operates as a control panel to check status and send commands to infected machines.

Gerenciador Sitef Interface

Further details on the HydraPOS arsenal are available in the appendix below.

How to prevent attacks similar to HydraPOS

Operations such as HydraPOS take advantage of three failures that can be found in companies of all sizes, but which are very common in environments where computers are used for a minimum set of features, such as the supermarket checkouts:

use of misconfigured remote administration tools, use of fragile passwords, absence of a security-oriented configuration pattern of the operating system and its applications.

In these environments, the more geographically dispersed the stores are, the more necessary it is to use tools for remote administration such as VNC, Remote Desktop or Radmin. On many occasions, access to the machines is made by a large number of employees, sometimes outsourced, and with a high turnover level. Thus, the password setting for remote administration tools, when it exists, is often made for the rapid absorption of the teams. The result is the definition of fragile passwords, shared among all support analysts and easily identified by brute-force tools.

To avoid this scenario, it is important to choose remote access solutions that centrally allow for the granting and revocation of access for each support analyst, thus avoiding the sharing of passwords between people. It is also important to adopt two-factor authentication solutions, not only depending on the user and password to access network resources, but also on other factors such as tokens, biometrics, etc.

As important as setting standards for the use of passwords and other authentication mechanisms, it is essential to maintain up-to-date systems and establish standards for the configuration of all machines. Updates should not be limited to the operating system, but they need to cover all other applications, and the standards should cover all configurations to make them more secure.

In addition, it is important that all employees be trained on how to identify suspicious messages, common to phishing attacks. There are several ways to train users about it, like educational phishing platforms to train employees regarding the fact that this is one of the most common threats in the world.