Point-of-sale terminal software appears to be an easy target in general for many attackers. There have recently been several high profile, and most likely non-coordinated, attacks on different retailers across the globe. Not long ago, RSA uncovered a POS malware that steals payment card and personal identification information.

After running the malicious executable through our Vinsula Execution Engine (VEE) to analyze its behavior, I found out that this POS malware is very different from the notorious BlackPOS/Kartoxa malware used in the Target attack.

Attack Overview

The diagram below highlights the key elements of the attack.  In essence, once delivered to the POS terminal, this malware scans processes’ memory, searches for sensitive details (like payment card details) and also installs a keylogger for capturing credentials. The stolen data is then sent to a hidden TOR service.

ChewBacca Diagram

Although ChewBacca malware doesn’t seem to be a very sophisticated piece of code, the executable itself is relatively large in size, weighing in at 5,103KB. Here are the hashes of the binary:

  • MD5: 21f8b9d9a6fa3a0cd3a3f0644636bf09
  • SHA256: 31d4e1b2e67706fda51633b450b280554c0c4eb595b3a0606ef4ab8421a04dc9

Here is the VirusTotal reference.

ChewBacca implements two main mechanisms for capturing sensitive information from the POS terminal. The first method is a memory scanning logic for extracting payment card details and personal information. In addition to this, the malware implements a keylogger using a standard Windows API SetWindowsHookEx.

Analysis

Based on the results generated by Vinsula, we can confirm all of the findings published by By Yotam Gottesman (RSA) and Marco (Kaspersky Lab).

The process tree below as reported by our Vinsula Execution Engine allows us to visually present the parent/child relationship between the two processes related to the execution for this specific malware.

+ ChewBacca.exe [Process Id: 312] 
	+ spoolsv.exe [Process Id: 1732] Command Line: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe"

The main malware ChewBacca.exe copies itself to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe. Next it launches the new instance of itself, spoolsv.exe, and deletes the original image ChewBacca.exe.

The newly launched process, spoolsv.exe sends a request to ekiga.net/ip to figure out the external IP address of the point-of-sale terminal.

According to the post published by Marco (Kaspersky Lab) TOR gets downloaded and dropped to the user’s temp directory, but we weren’t able to reproduce this with the sample we’ve been testing with. This is likely because the hidden TOR C2 web server is no longer active.

The malware installs a keylogger using SetWindowsHookExA. Notice the “A” in the API function name—this malware doesn’t support UNICODE characters. ChewBacca then installs a hook procedure that monitors low-level keyboard input events by passing WH_KEYBOARD_LL parameter to SetWindowsHookExA as shown from the VEE report below.

explorer.exe [Process Id: 2800] 
	+ ChewBacca.exe [Process Id: 312] 
		+ spoolsv.exe [Process Id: 1732] 
			Windows Hook WH_KEYBOARD_LL installed: Image:"\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe"

The ChewBacca malware then enumerates the running processes using Microsoft Tool Help Library. It also scans processes’ memory and searches for payment card and personal information using the following two Regular Expressions:

([0-9]{13,19}[=D][0-9]{5,50})\\?
([0-9]{13,19}[\\^][A-Za-z\\s]{0,30}[\\/][[A-Za-z\\s]{0,30}[\\^]([0-9\\s]{1,70})\\?)

The data captured by the malware gets stored into a file called system.log. The file is then sent to the hidden TOR web server by using a POST request to http://[Hidden C2].onion/sendlog.php

Another interesting aspect of this malware is that ChewBacca figures out if the currently logged on to the POS terminal user is a local administrator by calling the CheckTokenMembership API and checking the user’s token for membership in the Administrators local group. This information is also submitted back to the C2 server. Below is a section of pseudo code from the disassembled version of the malware:

bool __cdecl ISUSERADMIN()
{
  bool result = false;
  hAdvapi = LoadLibraryA("advapi32.dll");
  pfnCheckTokenMembership = GetProcAddress(hAdvapi, "CheckTokenMembership");
  if ( NULL != pfnCheckTokenMembership
    && AllocateAndInitializeSid(&pIdentifierAuthority, 2u, 0x20u, 0x220u, 0, 0, 0, 0, 0, 0, &pSid) )
  {
    result = pfnCheckTokenMembership(0, pSid, &v2);
    FreeSid(pSid);
  }
  return result;
}

The malware has been compiled using Free Pascal 2.7.1 [2013/10/22] for i386 – Win32.

All of the strings in the sample are ASCII, which would make the malware ineffective for any POS software that uses non-ASCII characters.

No anti-debugging or anti-reverse engineering techniques seem to be implemented in the ChewBacca malware.