The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable.

We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malware.

The malware samples that we’ll be analyzing are the following:

File name MD5

Epson.exe 69E361AC1C3F7BCCE844DE43310E5259

Wnhelp.exe D4A646841663AAC2C35AAB69BEB9CFB3

Epson.exe presents an invalid certificate:

Both samples were compiled with Microsoft Visual C ++ 8, and are not packaged or encrypted. Once the malware is executed in the system, it proceeds to analyze the different system processes in search of credit cards.

Here we can see how they go through the different processes looking only for those that can contain credit cards in memory:

In the case of the “Epson.exe” sample, it will search for credit cards in the following processes:

Program name Description notepad++.exe Text editor CreditCardService.exe Microsoft DSICardnetIP_Term.exe NETePay for Mercury DSIMercuryIP_Dial.exe NETePay for Mercury EdcSvr.exe Aloha Electronic Draft Capture (EDC) fpos.exe Future POS mxSlipStream4 / mxSlipStream5 / mxSlipStream.exe / mxSwipeSVC.exe SlipStream POS System Transaction Processor by mXpress NisSrv.exe Windows 8 spcwin.exe/ Spcwin.exe / SPCWIN.exe /SPCWIN.EXE POSitouch (Food Service Industry POS System)

On the other hand, the “Wnhelp.exe” sample contains a list that is used to discard the processes to be analyzed. If the process name coincides with any item on the list, it will not be analyzed in the search for credit cards:

Discarded processes: explorer.exe alg.exe chrome.exe wscntfy.exe firefox.exe taskmgr.exe iexplore.exe spoolsv.exe svchost.exe QML.exe smss.exe AKW.exe csrss.exe OneDrive.exe wininit.exe VsHub.exe steam.exe Microsoft.VsHub.Server.HttpHost.exe devenv.exe vcpkgsrv.exe thunderbird.exe dwm.exe skype.exe dllhost.exe pidgin.exe jusched.exe services.exe jucheck.exe winlogon.exe lsass.exe

In both samples, once the process it wishes to analyze is obtained, whether because it was contained on the list – as with Epson.exe – or because it was discarded – as with Wnhelp.exe – it will create a new thread:

And will then proceed to analyze the memory using an algorithm specifically designed to check whether the found data is from credit cards:

The Wnhelp.exe sample is executed by the attackers with the command “install”, in such a way that it creates a service to ensure its persistence in the system:

The service is called “Windows Error Reporting Service Log”.

The sample Epson.exe works in the same way, although attackers can configure the name of the service as they want through parameters:

install [Service name] [Service description] [Third parameter]

Each variant connects to a different command and control (C&C) server:

Epson.exe dropalien.com/wp-admin/gate1.php Wnhelp.exe www.rdvaer.com/ wp-admin/gate1.php

They can then receive different orders from the attacker:

Commands Description update = [URL] Malware update. dlex = [URL] Downloads and runs file. chk = [CRC_Checksum] Updates the file’s checksum.

To connect the control panel, they use the following UserAgent:

“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22”

The communication is carried out by an SSL. The malware modifies the internet connection configuration to ignore unknown CAs (Certificate Authorities), thereby ensuring that it will be able to use its own certificate.

First it obtains the internet connection security flags through the InternetQueryOptionA API with the third argument set to the value INTERNET_OPTION_SECURITY_FLAGS (31). Once obtained, it carries out a binary OR with the flag SECURITY_FLAG_IGNORE_UNKNOWN_CA (100h).

Conclusion: How to Confront a POS Attack

Attacks on POS terminals are still very popular, especially in countries like the United States where the use of Chip & PIN is not mandatory. Many of these attacks target businesses that do not have specialized personnel in computer science, much less in security, an oversight that attackers can take advantage of.

POS terminals are computers that handle critical data and therefore must be fortified to the maximum in order to shield customer data from the inherent risks. Solutions such as Adaptive Defense 360 help to ensure that no malicious process is executed in these terminals. There is no need to hire a security specialist, because the solution includes Panda Security’s own technicians, who will be responsible for ensuring that everything all executed processes are safe.