Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Minimalist Alina PoS Variant Starts Using SSL

More than four years ago, we published a series of blogs discussing in-depth analysis of Alina Point of Sale (PoS) malware. And for the past four years, it is interesting to see how different iterations of Alina POS malware keeppopping up. We recently came across another modified version of this malware and it came as no surprise that it shared the same codebase with the source code that was leaked years ago. This particular variant was modified to the bare minimum - stripping off rootkit capability, process injection, use of named-pipe and mutex, and use of minimal C&C commands. This variant is so stripped down it also got rid of using version numbers and aliases.

Exfiltration through SSL

Unlike previous Alina variants that had been using a plain HTTP POST to exfiltrate credit card data, this variant had added a layer of encryption by sending POST data through a SSL tunnel.

8285_208afad6-e552-475c-a60f-2d59101acc8f

Stolen credit card data are first obfuscated by utilizing a legacy XOR scheme previously found in Alina version 5.x (discussed in this blog).

10019_774714fa-673c-45ef-988c-f13f6c65b74d

Then data is tunneled through a POST request using SSL3 with the following flag options:

INTERNET_FLAG_SECURE
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID

8776_39485adf-93d8-4074-a687-6429f87f04f7

It is interesting, however, that when downloading an executable file update, this variant still uses a plain old HTTP POST request through port 80 to do so.

8973_4455b1bf-83df-4520-8766-33422e7e67f3

I would say, "fair enough", file updates are not that sensitive unlike stolen credit card data. I hope you would agree with that one!

Minimalistic set of C&C commands

This variant only recognizes three C&C commands:

Command

Description

update=<url>

malware update

dlex=<url>

download and execute file

chk=<crc checksum>

update file checksum

 

It got rid of the following commands for setting the following configuration below that were previously found in the older variants:

updateinterval=<integer>: Change interval between update requests
cardinterval=<integer> : Change interval between card exfiltration
log=1 : Enable logging
log=0 : Disable logging

Perhaps the attacker didn't have intention of changing the settings on-the-fly and just set hardcoded values in the malware code.

10912_9f69da12-0bcc-430a-810b-430ce1cb1048

Blacklists

It seems every new Alina variant includes an updated blacklist of processes that are not scraped for credit card data. This version takes the same blacklist from Alina 5.x versions and adds additional applications to the list:

From Alina 5.x:

explorer.exe
chrome.exe
firefox.exe
iexplore.exe
svchost.exe
smss.exe
csrss.exe
wininit.exe
steam.exe
devenv.exe
thunderbird.exe
skype.exe
pidgin.exe
services.exe
dwm.exe
dllhost.exe
jusched.exe
jucheck.exe
lsass.exe
winlogon.exe
alg.exe
wscntfy.exe
taskmgr.exe
spoolsv.exe
QML.exe
AKW.exe

Additional process names added:

OneDrive.exe
VsHub.exe
Microsoft.VsHub.Server.HttpHost.exe
vcpkgsrv.exe

Logging of scraped credit card data

This variant creates a file named "wshelper.cache.dll" in the current directory where it logs scraped credit card data in plain text.

12329_e58d1d5e-26ce-4be2-acc3-1894f19cc1b2

We can add that dumping plain text CC details to a file is a naïve move on the part of the attackers and could serve as a strong IOC for the defenders.

9499_5c9017de-be0e-4e22-b8d4-5f99bbb914ff

Installation and Persistence

Unlike previous versions, this variant register itself as a service with the following details. The installation can be invoked by the command line option "install"

Service name: WinErrSvc
Display name: Windows Error Reporting Service Log
Description: Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. If this service is stopped, error reporting might not work correctly and results of diagnostic services and repairs might not be displayed.
Path to executable: <malware path>

To reverse the installation, it can be removed by the command line parameter "uninstall" and can be restarted with the option "restart".

12642_f21de31b-73fc-49b7-9788-980f98d0a0c1

Conclusion:

Perhaps one of the reason why we keep seeing new variants of Alina POS is the accessibility of its source code and it is freely available to anyone. It will be no surprise if we see another version of it in the future either stripped or with more improvements.

Even though the addition of SSL capability for credit card exfiltration makes it a little bit harder for defenders to detect Alina's network activity, some other aspect of it are easily detectable including downloading of executable files in plain HTTP. We've listed indicators below to help incident response detect it.

IOC:

File/Folder Description SHA1

C:\Windows\System32\config\systemprofile\AppData\Roaming\ntkrnl
copy of itself encrypted with RC4 with the key "123456" 6fe0e91b2c96c7233dd1cdfc3ac30aa5a57a8fd6
C:\Windows\System32\config\systemprofile\AppData\Roaming\Installed folder  
wnhelp.exe main malware executable 713f68e8f30d37cb00d60414ce60fb3f6d645946
wshelper.cache.dll log file for credit card data  

 

Registry key:

HKEY_LOCAL_MACHINE\Software\CurrentControlSet\services\WinErrSvc
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion value:identifier

Exfiltration URL:

www[.]sagdao[.]com/wp555/gate1.php

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo