Last April 2015, we talked about FighterPOS, a point-of-sale (PoS) malware that was used in a one-man cybercriminal operation to steal over 22,000 unique credit card numbers and affected more than 100 PoS terminals in Brazil and other countries. We recently came across new and seemingly improved versions of this malware. Among other things, FighterPOS now has propagation capabilities; meaning, it could spread from one PoS malware terminal to another that is connected to the same network and thereby increasing the number of potential victims in one organization.

It is also interesting to note that based on the analysis of their code, the new FighterPOS samples have strings of code written in English, instead of Portuguese. This leads us to speculate that whoever is behind the new versions are operating in English-speaking countries, and are shifting to target other countries like the United States. Data gathered from the Trend Micro Smart Protection Network supports these findings: while more than 90% of connection attempts to FighterPOS command-and-control (C&C) servers are still located in Brazil, the number of affected systems in the US is at 6%.

Figure 1. The new version (top) uses the word “command” in its code, instead of the Portuguese “comando” in the original FighterPOS version (bottom)

Figure 2. Connection attempts of new FIghterPOS variants to C&C servers from Jan. 23 – Feb. 16

We analyzed two of the recent samples we’ve seen: “Floki Intruder” (detected as WORM_POSFIGHT.SMFLK), which is capable of spreading copies of itself, and a lightweight version detected as TSPY_POSFIGHT.F.

Floki Intruder

While Floki Intruder resembles the original FighterPOS in that it is based on the same vnLoader botnet client, it appears that it was compiled on a separate machine, most likely by the threat actor that added the new capabilities. Among the capabilities Floki Intruder shares with FighterPOS include disabling Windows firewall and default Windows protection and disabling the User Account Control. It is also capable of detecting any security product through Windows Management Instrumentation (WMI). Both FighterPOS and Floki Intruder are also distributed through compromised websites, and their updates are downloaded from their command-and-control (C&C) servers.

Perhaps the most notable update Floki Intruder has from FighterPOS is that it is able to enumerate logical drives to drop copies of itself and an autorun.inf by using WMI. Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.

Figure 3. Autorun.inf automatically executes InstallExplorer.exe when the logical drive is accessed.

TSPY_POSFIGHT.F

Unlike the original FighterPOS, TSPY_POSFIGHT.F is not derived from vnLoader, thus the C&C communication is different. Because of its smaller size, it has fewer features compared to Floki Intruder. TSPY_POSFIGHT.F does not accept backdoor commands, nor obtain any other information about the infected computer. It only connects to the server to send possible credit card logs that the scraper has gathered.

What is interesting in the TSPY_POSFIGHT.F sample sets we have gathered is that they appear to be version upgrades what is essentially the same binary. That is, it appears the cybercriminal using TSPY_POSFIGHT.F hit the same environment with progressive modifications as if doing a stress test or trial-and-error. For instance, one set contained Searcher.dll seen in RDASRV, an older PoS RAM scraper malware. Newer sets contain RAM scraping functionality of NewPOSThings, dropped with the filename rservices.exe.

Figure 4. Progression of TSPY_POSFIGHT.F

Defending against FighterPOS

Trend Micro protects customers from all threats related to FighterPOS and its new variants. To protect enterprises from bots and malware with PoS RAM-scraping capabilities, it is best to employ endpoint application control or whitelisting technology, included in the Trend Micro Smart Protection Suite, to keep you in control of the applications that run on your network. Companies can also consider Trend Micro Deep Discovery, which has specialized detection engines and custom sandboxing that can detect evasive attacker activities like the anti-sandboxing techniques mentioned in this entry.

Click here for more appendix on WORM_POSFIGHT.SMFLK, TSPY_POSFIGHT.F, related threats URLs and SHA1s, Yara rules, and other information in this technical brief.