March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Advisory – CVE-2020-9046 – ICS: Johnson Controls Kantech EntraPass
May 28, 2020
Rewterz Threat Alert – Turla and ComRAT v4
May 28, 2020
Rewterz Threat Advisory – CVE-2020-9046 – ICS: Johnson Controls Kantech EntraPass
May 28, 2020
Rewterz Threat Alert – Turla and ComRAT v4
May 28, 2020
Severity
Medium
Analysis Summary
The researchers has analyzed a piece of malware being used to scrape credit card information at the Point-of-Sale (PoS). Using a previously leveraged malware family and living off the land techniques, the threat group has managed to compromise several PoS terminals. The malware uses PsExec and compromised credentials to implant a pair of files to three separate PoS systems. A PowerShell script is saved as a batch file and an image file. Several pairs, in differing combination, have been discovered. Although the pairs and specific tools and techniques employed differ, the basic functionality is the same. The image file’s contents are loaded into memory by the batch file. The script injects the image file data into its own process. Raw shell code is appended to the PNG file in order to gain access. The shell code is a variant of the TinyPOS family. A file is created in order to store the scraped credit card data. The file is then uploaded to a C2 server in an encoded format.
Impact
Data Disclosure
Indicators of Compromise
MD5
- 9e56cd1c62a11b3f6f789da56cfe581d
- 2146d62b2be5b4ec04cd297c4e3094d1
SHA-256
- 15712752daf007ea0db799a318412478c5a3a315a22932655c38ac6485f8ed00
- e48af0380d51eff554d56aabeeb5087bba37fa8fb02af1ccd155bb8b5079edae
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.