Neutrino modification for POS-terminals

From time to time authors of effective and long-lived Trojans and viruses create new modifications and forks of them, like any other software authors. One of the brightest examples amongst them is Zeus (Trojan-Spy.Win32.Zbot, based on classification of “Kaspersky Lab”), which continues to spawn new modifications of itself each year. In a strange way this malware becomes similar to his prototype from Greek mythology. We can also attribute such malware familes as Mirai, NJRat, Andromeda and so on to this “prolific” group. Malware named “Neutrino” takes an important place in this row of well-known trojans, providing various types of infection, spreading and a useful payload.

In this article we analyze a very special species – a variant which could collect credit card information from POS.

Products of “Kaspersky Lab” detect it as Trojan-Banker.Win32.NeutrinoPOS

MD5 of descripted file: 0CF70BCCFFD1D2B2C9D000DE496D34A1

First stage

The Trojan takes a long “sleep” before it starts. It seems that such code was added to fool some AV sandboxes. To determine the period of delay, the Trojan uses a pseudorandom number generator.

C&C Communication

At the next stage, the Trojan extracts a C&C-address list from its body. The list is encoded at Base64. After decoding, the Trojan tries to find a working C&C, using the following algorithm:

• Sends POST-request to server, passing through its body encoding in base64 string “enter” (ZW50ZXI=). All encoded strings contains prefix “_wv=”
• Working server responds with 404 page, which contains at the end of it encoded string c3VjY2Vzcw== (success). In case of “success”, the rTojan marks the address of the used servers as working.

We should also notice that in the header of each POST-request there is “auth” field, which stays the same for each sample from family NeutrinoPOS.

Restored code of C&C-server check

The C&C address stored at registry branch HKCR\Sofrware\alFSVWJBis the same as other variables and data usedby NeutrinoPOS sample. Branch name differs from the one described here, but after full comparison of both samples, we can claim that both samples are the same modification of Neutrino.

C&C Commands

The described variant contains listed functions:

• Download and start file;
• Make screenshot;
• Search process by name;
• Change register branches;
• Search file by name on infected host and send it to C&C;
• Proxy

The server sends commands in plain view, like “PROXY”, “screenshot” and so on, encoded in base64. Following analysis we can claim that in the current versions of Neutrino there is no functions for DDOS attacks.

Implementation of command control sum calculating

Examples of few commands (marked with red line on screenshot above):

• Rolxor(“PROXY”) = 0xA53EC5C
• Rolxor(“screenshot”) = 0xD9FA0E3

NeutrinoPOS command handler

Stealing of credit cards

The algorithm for stealing credit card information is implemented in the Trojan in quite a simple way and described as follows:

1. The Trojans start to work through currently running processes, using CreateToolhelp32Snapshot\ Process32FirstW\Process32NextW.
2. Using OpenProcess\VirtualQuery\ReadProcessMemory, the Trojan gets information about the memory pages of the process.
3. The Trojan scans the memory pages for string “Track1”, which marks fields of the first track of the magnetic card. All described fields going one by one:
   • Sequence of symbols in range from ‘0’ to ‘9’ with length equal to 15, 16 or 19. Sequence checking with Luhn algorithm.
     
   • Check presence of separation symbol ‘^’ in next and previous fields.
   • Extract card holder name, with max length, basing on ISO/IEC 7813, equal to 26 symbols:
   • Rest data (CVC32, expiration date, CVV) extracts as whole block, with check of length and content :
4. Collected data sends to server with mark “Track1”.
5. After that, the Trojan starts to extracts next fields with mark “Track2” at the beginning:
   • At firsts, it extracts PAN with the same checks as on the previous stage.
   • As separation symbol using ” ‘ ” or ‘D’
   • Track2 doesn’t contains card holder name — rest data extracts as whole block
6. Collected data sent to server with mark “Track2”

Distribution Statistics

The largest areas of infection are Russia and Kazakhstan. Nearly 10% of infected computers belong to small business corporate customers.

Conclusion

As we can see from the described Trojan Neutrino, despite belonging to an old, well-known and researched family, it continues to bring various surprises to malware analysts and researchers in the form of atypical functionality or application. We can see the same situation with Mirai forks, for example, which generate an enormous count across all platforms and in different species

Generally speaking, all publications of malware source code with good architecture and various functionality will cause interest and attention from malware authors, who will try to use it for nearly all possible ways of illegal money gain. We can assume that right now there may already be new modifications of Neutrino with functionality for crypto-currency mining.

MD5

CECBED938B10A6EEEA21EAF390C149C1

66DFBA01AE6E3AFE914F649E908E9457

4DB70AE71452647E87380786E065F31E

9D70C5CDEDA945CE0F21E76363FE13C5

B682DA77708EE148B914AAEC6F5868E1

5AA0ADBD3D2B98700B51FAFA6DBB43FD

A03BA88F5D70092BE64C8787E7BC47DE

D18ACF99F965D6955E2236645B32C491

3B6211E898B753805581BB41FB483C48

7D28D392BED02F17094929F8EE84234A

C2814C3A0ACB1D87321F9ECFCC54E18C

74404316D9BAB5FF2D3E87CA97DB5F0C

7C6FF28E0C882286FBBC40F27B6AD248

729C89CB125DF6B13FA2666296D11B5A

855D3324F26BE1E3E3F791C29FB06085

2344098C7FA4F859BE1426CE2AD7AE8E

C330C636DE75832B4EC78068BCF0B126

CCBDB9F4561F9565F049E43BEF3E422F

53C557A8BAC43F47F0DEE30FFFE88673

C&C

hxxp://pranavida.cl/director/tasks.php

hxxps://5.101.4.41/panel/tasks.php

hxxps://5.101.4.41/updatepanel/tasks.php

hxxp://jkentnew.5gbfree.com/p/tasks.php

hxxp://124.217.247.72/tasks.php

hxxp://combee84.com/js/css/tasks.php

hxxp://nut29.xsayeszhaifa.bit/newfiz29/logout.php

hxxp://nut29.nsbacknutdoms11war.com/newfiz29/logout.php

hxxp://jbbrother.com/jbb/meaca/obc/pn/tasks.php

hxxp://ns1.posnxqmp.ru/PANEL/tasks.php

hxxp://nut25.nsbacknutdoms11war.com/newfiz25/logout.php

hxxp://propertiesofseyshellseden.com/newfiz21/logout.php

hxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php

hxxp://propertiesofseyshellseden.com/newfiz21/logout.php

hxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php