Virus & Malware

PinkKite POS Malware Is Small but Powerful

A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal. Called PinkKite, the POS malware was observed last year as part of a large campaign that ended in December, but was only detailed last week at Kaspersky Lab's Security Analyst Summit (SAS). Discovered by researchers at Kroll Cyber Security, the malware is believed to have appeared last year for the first time.

Similar to previously observed POS malware families such as TinyPOS and AbaddonPOS, the new PinkKite has a very small size (it is less than 6kb) and uses its tiny footprint to evade detection. Despite this, however, the malware includes memory-scraping and data validation capabilities. Furthermore, Courtney Dayter and Matt Bromiley, who detailed the threat at last week's SAS 2018, reveal that PinkKite uses a hardcoded double-XOR cipher to encrypt credit card numbers.

It also features built-in persistence mechanisms, and a backend infrastructure that leverages a clearinghouse to exfiltrate data to (POS malware typically sends data to the command and control (C&C) server). In fact, the PinkKite operators used three clearinghouses (or depots) that the malware sent data to in the observed campaign. These were located in South Korea, Canada and the Netherlands, the researchers revealed.

The use of clearinghouses likely made the data collection easier and allowed operators to distance themselves from the terminals, but it also made the operation very noisy. For distribution purposes, the attackers likely infected a system and then moved laterally across the targeted company's network environment using PsExec. Next, the hackers used Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), and then connected to the compromised systems to steal credit card data via a Remote Desktop Protocol (RDP) session.

The PinkKite executable, the researchers discovered, attempts to pass as a legitimate Windows program and uses names such as Svchost.exe, Ctfmon.exe and AG.exe for that. Different versions of the malware exist, including a whitelist variant that specifically targets processes in a list, and a blacklist iteration that instead ignores certain processes. After scrapping credit card data from the system memory, PinkKite validates card numbers using a Luhn algorithm.

It also employs a double-XOR operation to encode the 16 digits of the credit card number with a predefined key, and stores the data in compressed files that can hold as many as 7,000 credit card numbers each. Using a separate RDP session, the files are sent to one of the employed clearinghouses. These remote systems collected hundreds or thousands of malware output files, the researchers discovered.

The attackers were stealthy enough to stay under the radar until the targeted organization was alerted on its customers' credit card data being sold on the black market. Travis Smith, principal security researcher at Tripwire, told SecurityWeek in an email that, even if this powerful malware family has a little footprint, its size has nothing to do with how it can be detected. "A change on a static endpoint like a point-of-sale machine will stick out clearly with the proper controls.

Application white listing is a quick and very effective way to prevent malware such as PinkKite from being allowed to run on a point-of-sale machine. However, if the adversaries were able to use Mimikatz to steal admin credentials, they could bypass controls such as the built in AppLocker available from Windows. Having layered controls which are designed for both mitigation and detection are key in a successful security architecture," Smith said.

He also pointed out that the malware's small size forced it to rely heavily on network communication, which can be prevented and detected. "Since point-of-sale networks are also fairly static, any communication outside of an established baseline can be considered malicious until proven benign. Utilizing a whitelist set of firewall rules on the point-of-sale network will limit the malware from sending stolen credit cards to adversaries around the world," Smith concluded.

Related: New PoS Malware Family Discovered

Related: POS Malware Abuses Exposed ElasticSearch Nodes for C&C

Sofacy Targets European Govt as U.S. Accuses Russia of Hacking

Just as the U.S. had been preparing to accuse Russia of launching cyberattacks against its energy and other critical infrastructure sectors, the notorious Russia-linked threat group known as Sofacy was spotted targeting a government agency in Europe. The United States on Thursday announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the destructive NotPetya campaign and operations targeting energy firms. The Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert via US-CERT last year to warn about attacks launched by a group known as Dragonfly, Crouching Yeti and Energetic Bear on critical infrastructure.

Researchers previously linked Dragonfly to the Russian government and now the DHS has officially stated the same. US-CERT has updated its alert with some additional information. The new version of the alert replaces "APT actors" with "Russian government cyber actors." The DHS said that based on its analysis of malware and indicators of compromise, Dragonfly attacks are ongoing, with threat actors "actively pursuing their ultimate objectives over a long-term campaign."

This is not the first time the U.S. has imposed sanctions on Russia over its attempt to influence elections. Russia has also been accused by Washington and others of launching the NotPetya attack last year. The Kremlin has always denied the accusations, but President Vladimir Putin did admit at one point that patriotic hackers could be behind the attacks.

If Dragonfly and Sofacy (aka Fancy Bear, APT28, Sednit, Tsar Team and Pawn Storm) are truly operating out of Russia, they don't seem to be discouraged by sanctions and accusations. On March 12 and March 14, security firm Palo Alto Networks spotted attacks launched by Sofacy against an unnamed European government agency using an updated variant of a known tool. Sofacy has been using a Flash Player exploit platform dubbed DealersChoice since at least 2016 and it has continued improving it.

The latest version has been delivered to a government organization in Europe using a spear phishing email referencing the "Underwater Defence & Security" conference, which will take place in the U.K. later this month. What makes the new version of DealersChoice interesting, according to Palo Alto Networks, is the fact that it employs a clever evasion technique that has not been seen in the past. Older versions of DealersChoice loaded a malicious Flash object as soon as the bait document was opened.

The latest samples, however, include the Flash object on page three of the document and it's only loaded if users scroll down to it. This Flash object, displayed in the document as a tiny black box, contacts the command and control (C&C) server to download an additional Flash object that contains the actual exploit.

Kaspersky reported last week that it had seen overlaps between attacks launched by Sofacy and campaigns conducted by other state-sponsored cyberspies, including ones linked to China and the United States.

Stealthy Data Exfiltration Possible via Headphones, Speakers

A team of researchers has demonstrated how air-gapped computers can stealthily communicate with each other using speakers or headphones over ultrasonic waves. Experts from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel combined previous research on communications through ultrasonic waves with a technique that can be used to turn a device’s speakers into a microphone in an effort to create a covert data exfiltration channel. Researchers demonstrated several years ago that audio modulation and demodulation can be used to exchange data between computers over the air via the ultrasonic frequency range.

The method requires that the devices communicating with each other are equipped with both microphones and speakers. However, it’s possible to turn speakers, headphones or earphones into microphones using only software, which Ben-Gurion University researchers demonstrated back in 2016 in an attack they dubbed SPEAKE(a)R. Experts have now combined the two methods to show that a piece of malware installed on an air-gapped system fitted with speakers, headphones or earphones can transmit bits of data to one or more nearby devices running malware designed to capture the data via an audio output system turned into a microphone.

These types of attacks, which they have dubbed MOSQUITO, can be launched in scenarios involving desktop computers that don’t have a microphone, or when the microphone on a laptop or desktop system has been disabled or taped. The data exchange can take place over inaudible sound waves at frequencies of 18kHz or higher, which can be captured by regular headphones or speakers. The data can be modulated through audio frequency-shift keying (AFSK), which uses one frequency to transmit “0” bits and a different frequency to transmit “1” bits.

Tests conducted by researchers showed that a transfer rate ranging between 1200 bits/sec and 1800 bits/sec can be obtained for up to 8 meters (26 feet) for audible frequencies transmitted and captured using loudspeakers. The transfer rate drops to between 300 bits/sec and 600 bits/sec for inaudible frequencies.

Experiments conducted using headphones and earphones as recipients showed that they are not much worse than speakers, with transfer rates ranging between 300 bits/sec and 600 bits/sec over distances of 1m (3ft), 5m (16ft) and 8m (26ft). However, performance is significantly degraded when headphones are used both by the sender and the recipient — it only works over a distance of up to 3m (10ft) at a maximum of 250 bits/sec. It’s worth noting that these are upper theoretical transmission rates.

In practice, the transfer rate is influenced by environmental noise, the position of the transmitter and receiver, and bit error rates. “Our experiments shows that at a distance of three meters between two speakers, a transmission rate of 166 bit/sec results in a 1% bit error rate, during the exfiltration of a 1Kbit binary file,” researchers explained in their paper. “However, at distances of 4-9 meters, the 1% bit error rate is only achieved at transmission rates of 10 bit/sec. Our waveform analysis shows that the signal quality is degraded at distances greater than four meters mainly due to the environmental noise, which results in a lower SNR.”

Researchers at the Ben-Gurion University of the Negev previously demonstrated that stealthy data exfiltration is also possible via magnetic fields, infrared cameras, router LEDs, scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Related: Dell Launches Endpoint Security Product for Air-Gapped Systems

Related: Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs