After reading a 2020 report from VISA about two independent breaches of two North-American merchants I decided to take a look at one of the samples used in one of the intrusions to compromise the point of sale terminals, which is a RtPOS sample.
Although this malware family is not new (I found references on twitter from at least 2018), the fact that it was used in a 2020 breach made me a bit more interested in checking it.
The VISA report says that there was evidence that the threat actors behind this intrusion used various remote access tools and credential dumpers to establish the initial access, move laterally and deploy the malware in the POS environment. VISA stated that the malware used during this stages of the intrusion was not recovered and that the POS malware variants used by the threat actors targeted both track 1 and track 2 data.
RtPOS accepts two arguments “/install” and “/remove” which are responsible for installing the malware as a service and remove the service, respectively.
When the sample is executed using the “/install” arguments, it will itself as a service with auto execution during Windows startup. This way RtPOS guarantees persistence within the infected system.
Details of the installed service:
Service Name: WinLogOn Service Description: Windows Logging On Service
To start the main functionality which is of course, scrape card data, RtPOS starts itself as a service using the StartServiceW() api.
After the installation, RtPOS goes through all the running processes and searches for credit card data (aka Tracks). To do it, it starts by getting a snapshot of the running processes.
Next, it uses Process32FirstW()/Process32NextW() to go through the process list in a loop.
Finally, RtPOS uses the combination of VirtualQueryEx()/ReadProcessMemory() to read the process memory.
When a track is found, it is validated using the Luhn algorithm.
If the track passes the Luhn check it will be written to:
The data is written using the following format:
"%02d.%02d.%04d - %02d:%02d:%02d| %s: \t\t%s\n"
Created service info:
RtPOS writing data after finding valid tracks:
The DAT file now contains the tracks:
To remove the service is just as simple as passing the “/remove” argument:
RtPOS is just a basic memory scrapper that searches for tracks inside the memory of any process that is running.
It has no capabilities to send data over the network and it doesn’t connect to any command and control server.
To get the stolen data the criminals must keep a presence inside the compromised machines, which suggests that this sample is more like a post compromise tool used to monetize the intrusion by stealing payment data from the POS environment.
One interesting thing about this sample is that the functions responsible of checking the tracks are pretty much the same as the ones found in the Dexter family.
Filename: alohae.exe SHA256: fb749c32b58fd1238f21d48ba1deb60e6fb4546f3a74e211f80a3ed005f9e046