More than four years ago, we published a series of blogs discussing in-depth analysis of Alina Point of Sale (PoS) malware. And for the past four years, it is interesting to see how different iterations of Alina POS malware keeppopping up. We recently came across another modified version of this malware and it came as no surprise that it shared the same codebase with the source code that was leaked years ago. This particular variant was modified to the bare minimum - stripping off rootkit capability, process injection, use of named-pipe and mutex, and use of minimal C&C commands. This variant is so stripped down it also got rid of using version numbers and aliases.
Exfiltration through SSL
Unlike previous Alina variants that had been using a plain HTTP POST to exfiltrate credit card data, this variant had added a layer of encryption by sending POST data through a SSL tunnel.
Stolen credit card data are first obfuscated by utilizing a legacy XOR scheme previously found in Alina version 5.x (discussed in this blog).
Then data is tunneled through a POST request using SSL3 with the following flag options:
INTERNET_FLAG_SECURE
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
It is interesting, however, that when downloading an executable file update, this variant still uses a plain old HTTP POST request through port 80 to do so.
I would say, "fair enough", file updates are not that sensitive unlike stolen credit card data. I hope you would agree with that one!
Minimalistic set of C&C commands
This variant only recognizes three C&C commands:
Command |
Description |
update=<url> |
malware update |
dlex=<url> |
download and execute file |
chk=<crc checksum> |
update file checksum |
It got rid of the following commands for setting the following configuration below that were previously found in the older variants:
updateinterval=<integer>: Change interval between update requests
cardinterval=<integer> : Change interval between card exfiltration
log=1 : Enable logging
log=0 : Disable logging
Perhaps the attacker didn't have intention of changing the settings on-the-fly and just set hardcoded values in the malware code.
Blacklists
It seems every new Alina variant includes an updated blacklist of processes that are not scraped for credit card data. This version takes the same blacklist from Alina 5.x versions and adds additional applications to the list:
From Alina 5.x:
explorer.exe
chrome.exe
firefox.exe
iexplore.exe
svchost.exe
smss.exe
csrss.exe
wininit.exe
steam.exe
devenv.exe
thunderbird.exe
skype.exe
pidgin.exe
services.exe
dwm.exe
dllhost.exe
jusched.exe
jucheck.exe
lsass.exe
winlogon.exe
alg.exe
wscntfy.exe
taskmgr.exe
spoolsv.exe
QML.exe
AKW.exe
Additional process names added:
OneDrive.exe
VsHub.exe
Microsoft.VsHub.Server.HttpHost.exe
vcpkgsrv.exe
Logging of scraped credit card data
This variant creates a file named "wshelper.cache.dll" in the current directory where it logs scraped credit card data in plain text.
We can add that dumping plain text CC details to a file is a naïve move on the part of the attackers and could serve as a strong IOC for the defenders.
Installation and Persistence
Unlike previous versions, this variant register itself as a service with the following details. The installation can be invoked by the command line option "install"
Service name: WinErrSvc
Display name: Windows Error Reporting Service Log
Description: Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. If this service is stopped, error reporting might not work correctly and results of diagnostic services and repairs might not be displayed.
Path to executable: <malware path>
To reverse the installation, it can be removed by the command line parameter "uninstall" and can be restarted with the option "restart".
Conclusion:
Perhaps one of the reason why we keep seeing new variants of Alina POS is the accessibility of its source code and it is freely available to anyone. It will be no surprise if we see another version of it in the future either stripped or with more improvements.
Even though the addition of SSL capability for credit card exfiltration makes it a little bit harder for defenders to detect Alina's network activity, some other aspect of it are easily detectable including downloading of executable files in plain HTTP. We've listed indicators below to help incident response detect it.
IOC:
File/Folder | Description | SHA1 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\ntkrnl |
copy of itself encrypted with RC4 with the key "123456" | 6fe0e91b2c96c7233dd1cdfc3ac30aa5a57a8fd6 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Installed | folder | |
wnhelp.exe | main malware executable | 713f68e8f30d37cb00d60414ce60fb3f6d645946 |
wshelper.cache.dll | log file for credit card data |
Registry key:
HKEY_LOCAL_MACHINE\Software\CurrentControlSet\services\WinErrSvc
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion value:identifier
Exfiltration URL:
www[.]sagdao[.]com/wp555/gate1.php