Introduction

After reading a 2020 report from VISA about two independent breaches of two North-American merchants I decided to take a look at one of the samples used in one of the intrusions to compromise the point of sale terminals, which is a RtPOS sample.

Although this malware family is not new (I found references on twitter from at least 2018), the fact that it was used in a 2020 breach made me a bit more interested in checking it.

The VISA report says that there was evidence that the threat actors behind this intrusion used various remote access tools and credential dumpers to establish the initial access, move laterally and deploy the malware in the POS environment. VISA stated that the malware used during this stages of the intrusion was not recovered and that the POS malware variants used by the threat actors targeted both track 1 and track 2 data.

Analysis

RtPOS accepts two arguments “/install” and “/remove” which are responsible for installing the malware as a service and remove the service, respectively.

args

When the sample is executed using the “/install” arguments, it will itself as a service with auto execution during Windows startup. This way RtPOS guarantees persistence within the infected system.

create_svc

Details of the installed service:

Service Name: WinLogOn
Service Description: Windows Logging On Service

To start the main functionality which is of course, scrape card data, RtPOS starts itself as a service using the StartServiceW() api.

start_svc

After the installation, RtPOS goes through all the running processes and searches for credit card data (aka Tracks). To do it, it starts by getting a snapshot of the running processes.

proc_snap

Next, it uses Process32FirstW()/Process32NextW() to go through the process list in a loop.

loop

Finally, RtPOS uses the combination of VirtualQueryEx()/ReadProcessMemory() to read the process memory.

read_proc_mem

When a track is found, it is validated using the Luhn algorithm.

luhn check

If the track passes the Luhn check it will be written to:

C:\\Windows\\SysWOW64\\sql8514.dat

or:

C:\\Windows\\System32\sql8514.dat

dat file

The data is written using the following format:

"%02d.%02d.%04d - %02d:%02d:%02d| %s: \t\t%s\n"

data format

Running RTPOS

Installation:

install

Debug message:

install_msg

Created service info:

svc

RtPOS writing data after finding valid tracks:

dat_write

The DAT file now contains the tracks:

dat

To remove the service is just as simple as passing the “/remove” argument:

svc_remove

Conclusion

RtPOS is just a basic memory scrapper that searches for tracks inside the memory of any process that is running.

It has no capabilities to send data over the network and it doesn’t connect to any command and control server.

To get the stolen data the criminals must keep a presence inside the compromised machines, which suggests that this sample is more like a post compromise tool used to monetize the intrusion by stealing payment data from the POS environment.

One interesting thing about this sample is that the functions responsible of checking the tracks are pretty much the same as the ones found in the Dexter family.

shared code

Sample:

Filename: alohae.exe
SHA256: fb749c32b58fd1238f21d48ba1deb60e6fb4546f3a74e211f80a3ed005f9e046