Month: January 2016

CenterPOS – The evolution of POS malware

Posted on Updated on

Security Experts at FireEye discovered a new strain of POS malware dubbed CenterPOS that is threatening the retail systems.

In the last 2/3 years, we have seen a significant increase in the number of POS malware, their diffusion is becoming even more worrying. We read about many high-profile breaches that involved high-complex malware targeting payment systems worldwide.

Today we catch up with CenterPOS, a malicious code under investigation of FireEye experts. This fairly new malware was discovered in September 2015 in a folder that contained other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and the infamous BlackPOSmalware.

CenterPOS malware 1

The sample analyzed by FireEye is identified with an internal version number 1.7 and contains a “memory scraper that iterates through running processes in order to extract payment card information. The payment card information is transferred to a command and control (CnC) server via HTTP POST”:

Many variants of the malware version 1.7 were found, associated with different CC locations:

CenterPOS malware 2

FireEye even discovered a live CnC server that show that in the underground the malware is known as “Cerebrus”( don’t mix it with the RAT also known as Cerberus):( don’t mix it with the RAT also known as Cerberus):

Besides the version 1.7, a version 2.0 was found, and it’s very similar with 1.7 with the difference that in version 2.0 its used a config file to store the information related to the CC server.

“The malware contains two modes for scraping memory and looking for credit card information, a “smart scan” mode and a “normal scan” mode. The “normal scan” mode will act nearly the same as v1.7”

The CenterPOS scans all processes searching for those that meets the following criteria:

  • The process is not the current running process.
  • The process name is not in the ignore list.
  • The process name is not “system,” “system idle process,” or “idle.”
  • The process file version info does not contain “microsoft,” “apple inc,” “adobe systems,” “intel corporation,” “vmware,” “mozilla,” or “host process for windows services.”
  • The process full path’s SHA-256 hash is not in the SHA-256 blacklist.

If a process meets the criteria ” the malware will search all memory regions within the process searching for credit card data with regular expressions in the regular expression list.”

Moving on to the “smart scan”, this scan is initiated with a normal scan, and “any process that has a regular expression match will be added to the “smart scan” list. After the first pass, the malware will only search the processes that are in the “smart scan” list.”

“After each iteration of scanning all process memory, the malware takes any data that matches and encrypts it using TripleDES with the key found in the configuration file.”

The malware sends information to the CC server about the “hacked” system including the current settings, always after a performed scan. The collected info includes all system users, logged in users, sessions, process list, and current settings list. The info is send by a separate HTTP POST request.

” The malware primarily sends data to the CnC server, but can also receive commands and in addition to processing commands, the malware also accepts commands to update its current settings.”

The next table includes data related the variants of the CenterPOS version 2.0 found by FireEye:

CenterPOS malware 3

As I referred in the beginning of the article, many POS malware were found in the last 2/3 years and this is related with the huge demand criminal underground. Retailers represent a privileged target to steal payment card information and get money.

CenterPOS or Cerebrus, as will likely continue to evolve, their authors will include more functionalities in future versions.

If you feel interested to get more details, please visit FireEye blog, here.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge.

Samsung Patches Critical Vulnerabilities in Android Devices

Posted on

Samsung has released a maintenance update for its major Android flagship Galaxy models to resolve 16 vulnerabilities in these devices.

The updates, available as part of the company’s monthly Security Maintenance Release (SMR) process, include all patches released by Google up to its January 2016 Android Security Bulletin. The release also includes several Samsung Vulnerabilities and Exposures (SVE) items.

Samsung’s January 2016 SMR includes a patch for a remote code execution (RCE) vulnerability in Android Mediaserver (CVE-2015-6636) rated as Critical. During the media file and data processing of a specially crafted file, an attacker could exploit the flaw to cause memory corruption and remote code execution.The vulnerability appears to be similar in scope to the “Stagefright” vulnerability that was disclosed in July 2015, which affected nearly one billion Android devices. Google’s initial patch did not properly address the mediaserver service flaw.

Samsung's latest security update will fix seven flaws specific to Galaxy devices, plus six device-agnostic Android bugs.

Another Critical flaw addressed in the updates is CVE-2015-6617, a flaw in Skia that allows remote attackers to execute arbitrary code or cause a denial of service via a crafted media file. The vulnerability was resolved by Google in the December 2015 bulletin, and Samsung included it in its December SMR too.

This month, Samsung Android devices also received fixes for a series of Android flaws rated Medium risk, such as CVE-2015-6643, CVE-2015-5310, CVE-2015-6644, CVE-2015-6645, all of which were patched in Google’s December 2015 or January 2016 updates for the Nexus devices.

Of the 7 SVE items included in Samsung’s January 2016 SMR, three are rated Critical and could result in arbitrary code execution, memory corruption, or FRP/RL bypass. The first could be triggered when a malformed BMP image is scanned by a facial recognition library, the second is a flaw in ‘’ and can be triggered by a malformed JPEG file, while the third is a bug in download mode that can reset the FRP/RL partition by using ‘Odin’ protocol, according to the release notes.

Samsung also patched a vulnerability resulting from a combination of unprivileged local apps being able to access some providers and an SQL injection (SQLi) flaw, which allowed applications to access all messages from SecEmail. The update also resolves a memory corruption issue rated Medium, along with a Low rated bug that could cause crashes when malicious service commands were called.

Samsung didn’t provide information on all SVEs included in the package, but revealed that at least two of the bugs affect the Samsung Galaxy S6 smartphone. Users are advised to install the security updates as soon as possible, to ensure their devices are protected from any attempts to exploit the fixed vulnerabilities.

Samsung began delivering monthly updates to its Android users in October 2015, afterannouncing such plans in August. The move followed Google’s decision to resolve flaws in the mobile OS on a monthly basis, after the critical “Stagefright” vulnerability  was found in July to affect nearly one billion devices.


Hackers are blackmailing the creator of Open-Source Ransomware

Posted on

The Turkish security researcher Utku Sen was blackmailed by hackers behind the Magic ransomware to close his projects.

The developers behind the open source-based “Magic” ransomware are blackmailing the creator of Hidden Tear and EDA2 in order to force the developer to abandon the projects.

Recently I have written about the RANSOM_CRYPTEAR.B ransomware developed Utku Sen starting from a proof-of-concept code available online.

According to the experts at TrendMicro, Utku Sen made a serious error in the development, resulting in victims’ files being completely unrecoverable. Researchers who analyzed the source code discovered that it was a modification of a proof-of-concept ransomware dubbed Hidden Tear that was leaked online by the Turkish coder Utku Sen for educational purpose.

It is not surprising that crooks have not missed the occasion as remarked by TrendMicro.

“Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code.” states a blog post published by  TrendMicro.

The “Hidden Tear”  is available on GitHub and it’s fully functional, it uses AES encryption to encrypt the files and displays a warning to users to pay up to get their data back.

ransomware hidden tear open source

“While this may be helpful for some, there are significant risks. The Hidden Tear may be used only for Educational Purposes. Do not use it as a ransomware!” explained utkusen.

The hacker also developed a second open-source project for a ransomware dubbed EDA2. When the problem was discovered, Utku Sen removed all the files from the EDA2 project.

Recently another ransomware, based on the open-source code, has been detected in the wild, it has been dubbed “Magic” because it encrypts user files and adds a “.magic” extension to them.

Now the criminal gang behind the Magic ransomware began blackmailing the hacker Sen in an effort to shut down the Hidden Tear. The group announced that in a forum post that they are willing to provide victims with the decryption keys for free in case Sen agrees to close his open source ransomware projects.

Sen refused the condition and declared war on the blackmailers.

According to Sen, he deliberately inserted security flaws in both the Hidden Tear and EDA2 to sabotage cybercriminals using the proof-of-concept ransomware.

The Sen’s plan worked with the Hidden Tear allowing the recovery of the file encrypted  by the Linux.Encoder and Cryptear.B ransomware, meanwhile failed with EDA2.

Sen inserted vulnerabilities in the EDA2’s control script in order to retrieve decryption keys. The problem is that despite the presence of the flaws, the unique way to obtain the keys to recover the files was to access the database that was left in crooks’ hands. He has forgotten to implement a mechanism to copy the database of the keys of the storage used by the crooks to another archive managed by the researcher.

It is not clear why the hackers behind the Magic ransomware blackmailed Sec, the unique certainty is that that don’t want the Hidden Tear project online. They also offered support to the victims if Sen will remove the Hidden Tear.


A flaw in TeslaCrypt ransomware allows file recovering

Posted on

The victims of the infamous TeslaCrypt ransomware can now rejoice, there is a free tool to decrypt files encrypted by TeslaCrypt and TeslaCrypt 2.0

TeslaCrypt is one of the most insidious ransomware first detected in the wild in 2015, today I have a good news for its victims.

TeslaCrypt was first detected in February 2015, the ransomware was able to encrypt user data including files associated with video games. In July, a new variant appeared in the wild, TeslaCrypt 2.0, the authors improved the encryption mechanism.

Both strains of the ransomware, TeslaCrypt and TeslaCrypt 2.0, are affected by a security flaw that has been exploited by security experts to develop  a free file decryption tool.

The design issue affects the encryption key storage algorithm, the vulnerability has been fixed with the new release TeslaCrypt 3.0 which was improved in a significant way.

teslacrypt ransomware

The security expert Lawrence Abrams published an interesting blog post detailing the issue, confirming that the decryption tool was available for a while but the news was not disclosed to avoid countermeasures of the malware developers.

Unfortunately, TeslaCrypt 3.0 resolves the issue, then research community decided to release decryption tools in the wild (i.e. TeslaCrack (

“For a little over a month, researchers and previous victims have been quietly helping TeslaCrypt victims get their files back using a flaw in the TeslaCrypt’s encryption key storage algorithm. The information that the ransomware could be decrypted was being kept quiet so that that the malware developer would not learn about it and fix the flaw. Since the recently released TeslaCrypt 3.0 has fixed this flaw, we have decided to publish the information on how a victim could generate the decryption key for encrypted TeslaCrypt files that have theextensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ,.AAA, .ABC, .CCC, and .VVV. Unfortunately, it is currently not possible to decrypt the newer versions of TeslaCrypt that utilize the .TTT, .XXX, and .MICRO extensions.”wrote Abrams.

As explained in the post, files encrypted with the newer versions of TeslaCrypt are recognizable by the extension (.TTT, .XXX, and .MICRO) and cannot be decrypted.

TeslaCrypt encrypts files with the AES encryption algorithm and uses the same key for both encryption and decryption. Abrams explained that the threat generated a new AES key each time it was restarted, and that it stored the key in the files encrypted during the session. The information about the encrypted key was stored in each encrypted file, fortunately the size of this stored key was vulnerable to decryption through specialized programs. These programs are able to factorize these large numbers, extract their prime numbers and pass them to other specialized tools used to reconstruct the decryption key.

Another interesting tool for decrypting the files is TeslaDecoder, it has been available for decrypting TeslaCrypt files since May 2015 and it has been updated to recover the encryption key for all TeslaCrypt variants.


Hackers Breach University of Virginia HR System

Posted on

The University of Virginia said on Friday that hackers managed to break into a “component” of an HR system and access sensitive information including W-2s and banking details of University employees.

In a security incident notice, the University said the FBI recently notified the University of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody.

“In collaboration with the FBI, the University confirmed that unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees,” the notice said.

According to the University, the attack came via a phishing email scam by which the attackers sent emails asking recipients to click on a link and provide user names and passwords.

After successfully gaining valid user credentials, the cybercriminals were able to gain access to the HR system and the W-2s of approximately 1,400 employees. Additionally, direct deposit banking information of 40 employees was accessed.

After investigating the incident, it was determined that the attackers gained access to the HR records beginning in early November 2014, with the last suspected intrusion occurring in early February 2015.

Fortunately, the breach affected a small percentage of the 20,000 people employed by the University.

“Phishing attacks have plagued and ravaged institutions for years, and will only escalate in 2016,” Adam Levin, Chairman and Founder of IDT911, told SecurityWeek. “While we don’t have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.”

“Even though this was a relatively small breach, the implications to the victims can be very far-reaching,” Paul Martini, CEO of iboss Cybersecurity. “Personal and financial information, like the bank documents and Social Security Numbers stolen in the University of Virginia hack, is very lucrative for hackers to sell on the black market. This is another reminder that even sophisticated networks need to improve their safeguards against data breaches by focusing on stopping malware from stealing information after a hacker has infiltrated the network.”


Kovter Malware Victims Were Secret Zombies in the ProxyGate Proxy Network

Posted on

Legitimate proxy software distributed with Kovter malware.

During the past few months, computers infected with the Kovter click-fraud malware were also secretly added to the proxy network operated by ProxyGate, the Forcepoint team reports.

Kovter is one of the oldest malware strains around, one that has adapted to fit various needs and niches, and survived mainly as a click-fraud toolkit, ideal for making a quick buck out of online ads.

A recent spam campaign detected by Forcepoint (formerly Raytheon|Websense) has identified Kovter delivered through file attachments in the form of ZIP files.

When uncompressed, these ZIP files automatically execute a JavaScript file which connects to a Web server and downloads the Kovter malware.

In this specific campaign, Forcepoint saw this auto-download process abusing an Alexa Top 10 site, but also downloading two additional payloads besides Kovter.

One of them is the Miuref adware while the second was a legitimate executable, the ProxyGate installer.

All three files were executed as soon as they finished downloading, and silently installed their payloads on the victim’s machine without any type of user interaction needed.

Spam campaign’s author may have participated in ProxyGate’s referral program

It is yet unknown why the malware operators installed the ProxyGate application on the victim’s PC. This application does nothing malicious on its own and is designed to add the user’s computer to ProxyGate’s network of available proxy servers.

A possible explanation for these strange actions may be ProxyGate’s referral programwhich allows users to boost their own account’s number of free proxies available per day.

The spam campaign’s author may possibly be running other malicious campaigns through ProxyGate’s network and wanted to boost his available proxy output IP addresses by secretly abusing ProxyGate’s referral program by packaging the legitimate installer alongside Kovter’s payload.

This is not the first malware campaign that infected users and added their PC to a proxy network. In the past, the Bunitu and the ProxyBack malware families did the same thing.

Users infected with Kovter, may also want to check their computer’s list of installed applications and check to see if they’re not an unwitting zombie in a ProxyGate’s service.

Zcash, an Untraceable Bitcoin Alternative, Launches in Alpha

Posted on

BITCOIN MAY HAVE become the currency of choice for the anonymity-loving Internet underground. But it’s never been anonymous enough for Zooko Wilcox. As he’ll remind anyone who’ll listen, the blockchain, bitcoin’s very public ledger of all transactions in its crypto-economy, means that unless bitcoin’s users funnel it through intermediaries or special software, their transactions can easily be traced.

Today Wilcox and his startup Zcash are launching the first public alpha release of the cryptography world’s best shot yet at perfectly untraceable digital money. Using a mathematical sleight-of-hand known as a “zero-knowledge proof,” Zcash (until recently known as Zerocoin or Zerocash) offers the same anti-forgery assurances as bitcoin: No one can counterfeit Zcash, or spend the same Zcash “coin” twice. But thanks to its zero-knowledge feature, any spender or receiver can also choose to keep their Zcash payment entirely secret.

The company holds the potential to empower a new form of near-perfect financial privacy—or, put in the terms of less friendly financial regulators, to enable a new form of airtight money laundering. “Consumers want to buy and sell things over the Internet and need privacy from snoops who might use the knowledge of their transactions against them,” says Wilcox, a 41-year-old cryptographer who’s also known in the crypto community for creating Tahoe LAFS, a decentralized, encrypted file-storage system. “This is the first time you can transact with anyone on the Internet, and control over who gets to find out about those transactions is solely in your hands.”

On Wednesday morning Zcash published its source code on Github, and is now allowing anyone to test out the software in what Wilcox calls a “preview.” But in an interview with WIRED he warns that the data moving on the Zcash network doesn’t yet represent actual money, only a “test net” that’s designed to give Zcash a chance to iron out its bugs before anyone makes investments in the cryptocurrency. Wilcox estimates the “real money” launch of Zcash is likely still close to six months away. The prototype version of Zcash that WIRED downloaded still lacked a user interface and instead required figuring out a tough-to-navigate set of command line functions.

Like bitcoin, Zcash’s currency will be created by “mining” computers that compete to solve mathematical problems. But unlike bitcoin and other attempts to create an alternative cryptocurrency or “altcoin,” Zcash is launching as a for-profit company. For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company and a smaller portion to a non-profit he’s creating to oversee the Zcash code and community longterm. Wilcox says that he plans for 1 percent of Zcash’s currency to ultimately go towards that non-profit, and 10 percent to be paid to the for-profit startup.

That for-profit strategy, Wilcox says, was designed to raise money to fund the project: Much of the 10 percent it earns will repay Wilcox’s investors, whoas of November had put more than $715,000 into Zcash. Those investors include Naval Ravikant, an investor in Twitter and Uber, Barry Silbert, the founder of startup equity-trading platform SecondMarket, and Roger Ver, a staunch libertarian who’s invested in bitcoin startups and Bitpay, and who also bankrolled much of the legal defense of now-convicted Silk Road creator Ross Ulbricht. (Wilcox says that Zcash remains on the sidelines of the schism over bitcoin’s scalability and speed that’s currently splitting the cryptocurrency community, though he hopes it will be able to integrate any upgrades to bitcoin’s code that solve those issues.)

Plenty of cryptocurrencies that have boasted features bitcoin lacks have launched and languished over the years, without seeing even a fraction of bitcoin’s adoption. But Wilcox argues that Zcash’s incognito properties, when the currency finally does launch for public consumption and real financial applications, will be crucial for those who need a more privacy-preserving form of digital money. That includes anyone from a medical startup trying to comply with healthcare privacy laws to a businesswoman in Afghanistan dodging corrupt cops and tyrannical male family members. “Privacy makes whole societies safer, stronger and more prosperous,” says Wilcox. “Ubiquitous privacy helps prevent corruption and abuse and oppression.”

Of course, the sort of “ubiquitous privacy” that Zcash is designed to allow will no doubt find fans within black markets, too, like the dark web’s $100 million-a-year drug trade. Until now, bitcoin’s lack of connection to banks or registered services has made it a convenient tool to spend money online without necessarily tying that money to the user’s identity. But the blockchain’s privacy problems have remained a nagging threat to anyone who makes a drug deal using bitcoin’s digital cash. Prosecutors proved bitcoin’s shortcomings for narco-money-laundering applications last year, for instance, when they traced $13.4 million from the drug site Silk Road to Ross Ulbricht’s laptop.

Zcash’s untraceability features promise to remove that sort of blockchain analysis as a tool for law enforcement surveillance. That notion has created controversy around the currency since it was first proposed by a team of cryptographers at Johns Hopkins University Back then, the anti-money-laundering think tank Global Financial Integrity published an op-ed in the Baltimore Sun describing the idea as a boon to black markets of all kinds, from human trafficking to wildlife poaching. “More girls will be sold as sex slaves, more rhinos will be poached, and every other large-scale transnational crime that you can name is going to become a lot easier if criminals have a way to transfer very large amounts of money completely anonymously,” wrote the group’s spokesperson E.J. Fagan.

Wilcox maintains his stealthy digital cash startup isn’t intended to facilitate crime, but also notes that the company isn’t liable for any criminal applications for which Zcash is used. “The people who built the first cars weren’t held responsible for car accidents or bank robberies,” he says. “The people who use these tools for good or ill are held responsible for that.”

But Wilcox also insists that Zcash’s legitimate applications will outweigh its shady ones. He compares Zerocoin’s ambiguous potential to that of the Internet itself. “Can the internet be used for crime? Yes, it can be, but that’s not what’s important about it.” Wilcox says. “I’m focused on the trillions of dollars of legitimate commerce that flow around the world.”