Before I begin the technical portion of this analysis, I think it’s important to understand the severity of this threat, which is very low. This threat was initially discovered on the 25th of October 2013, in the world of counter malware, this is very old news. The recent RSA paper and industry coverage is more about the ongoing threats to the Point of Sales (POS) systems, that is gaining spotlight based in part on the local highly visible retail vendors compromised during the holiday season by another POS targeting malware. At the time of writing there are three families of malware known to target POS systems. These families are not listed in any particular order. The most notable is the Kaptoxa/ POSRAM (discussed here https://discussions.nessus.org/thread/6993) whose author also wrote BlockPOS are one family. The Decebal POS Malware, which is 400 lines of Visual Basic Script is a second family. Chewbacca is the third known family. This only stands to reason as virtually all current malware is written either for financial gain or intelligence purposes. Very few of the new creations are created by the old style amateur authors who wanted to be the first to infect a platform, or project a message. While the threat of infections by POS targeting malware is low, even to retail organizations, the damage it can do once inside can be devastating to the organization.
Trojan.Win32.FSYSNA.fej AKA Chewbacca
Chewbacca is a generic key logger and memory scanner which was discovered around October 25, 2013, that targets Point of Sales (POS) Systems. Looking at the original Kaspersky report, I found some things that would be very useful for our SecurityCenter users who need to look and see if any of these indicators are on their network.
Creating An Asset of POS Systems
We have found that malware targeting POS systems is looking for the systems running pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe. With Nessus plugin 70329, a dynamic asset list can be created which leverages multiple text searches for these processes strings.
This will create a list of IP addresses of system which have those processes running. An asset list of POS systems is useful for conducting further reporting and analysis of network traffic, such as isolating TOR traffic to or from these devices.
Looking for Created Files
The trojan creates a copy of itself in the Windows Start > Startup directory with a file name of “spoolsv.exe”, which is 5 megabytes in size. This is done to disguise the Trojan as a Widows printer spooler, it also creates “Tor.exe” in the user’s temp directory, this is the complete TOR package that allows encrypted traffic to and from the command and control server. The data for exfiltration is stored in the %temp directory with a file name of “system.log”. All three files can be found leveraging the Nessus plugin 70329. In addition to searching for the existence of the files, a user could search both the LCE logs for evidence of this in the processes execution summary and in the Nessus list of running processes it gets in its audits.
Looking for Network Traffic
During the installation process, the malware will determine the public facing IP Address of the compromised machine by making a connection to http://ekiga.net/ip. This website is neither malicious nor associated with the malware itself; rather it is a publically available administrative tool. Detection is shown below:
As Chewbacca leverages TOR to exhilarate data to the command and control (C&C) servers, as well as receive instructions, companies that have been monitoring traffic for some time can leverage PVS plugins 2542 and 2543 to detect TOR tunnels connected with their POS assets.
As the TOR client communicates via localhost:9050 we can look for that:
- Both Nessus and the PVS can detect if systems are pingable. For example, the PVS includes a plugin 7043 which enumerates all observed IP protocols that the host has communicated on.
- PVS plugins 15 and 3 report all of the clients and servers per port for any given host. This list should be audited to see if there are any common servers used by the POS systems which could be an internal control point and is the source of the shell code.
- PVS plugin 7 logs all ports that have any type of highly random network session which could indicate encryption.
If you are running the Tenable Network Monitor on your network and configured it to log ICMP traffic, consider auditing this also for anomalies and to look for odd communication patterns
Nessus Malware Scanner
The Nessus Malware Scan does detect the spoolsv.exe and will log it as a detection https://malwaredb.nessus.org/malware/96328051b3416eb9d5a0391024c66acf
Searching for Rogue Applications
Keep in mind that:
Nessus plugin 74442 identifies any Microsoft Windows Known Bad AutoRuns / Scheduled Tasks.
Nessus plugin 70628 identifies any unique AutoRun settings which are also unique to any other scanned hosts.
Nessus plugin 11154 identifies any network services which is not identifiable. We use this for our customers to send us information about new services, but it is also an excellent way to find malware running their own proprietary protocols.
Nessus plugin 70768 identifies all running processes which have an unknown reputation.