Dexter – Draining blood out of Point of Sales
The holiday season is here and with it comes a rise in credit card use. Cybercriminals know this and have been infecting consumer PCs with information stealing trojans for years. Recently however, Seculert identified a growing trend whereby cybercriminals are targeting Point of Sale (POS) systems. Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware. Dexter is one example of such malware.
Dexter is custom-made malware that has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted POS systems include big-name retailers, hotels, restaurants and even private parking providers. The name Dexter comes from a string found in one of the malware related files and its Track 1 / Track 2 online parsing tool (See Figure 1).
The POS systems targeted by Dexter are located in 40 different countries worldwide. 42 percent of the POS systems are located in North America, while 19 percent are located in the United Kingdom (See Figure 2).
Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for
Track 1 / Track 2 credit card data. This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system (see cloning demo video here).
How POS systems are targeted is yet to be known for sure, but by observing the administration panel of Dexter (See Figure 3), Seculert was able to identify that over 30 percent of the targeted POS systems were using Windows Servers (See Figure 4). This is an unusual number for regular “web-based social engineering” or “drive-by download” infection methods.
The following are MD5s of Dexter related malware samples:
2d48e927cdf97413523e315ed00c90ab
70feec581cd97454a74a0d7c1d3183d1
f84599376e35dbe1b33945b64e1ec6ab
ed783ccea631bde958ac64185ca6e6b6
Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.
Are the targeted systems POS devices, or back office servers?
I ask, as when I was performing these types of exams, we found RAM scrapers on the back office server…the actual POS devices themselves didn’t run Windows.
If the POS devices are what’s being compromised, that’s interesting…many smaller organizations may have many POS devices, but only one back office server.
How would you think that the bad guy is gaining access to the POS device?
Does anyone have IDS signatures (i.e. Snort) for this malware or know of a way we could get them?
Would there be any mitigating value in blocking the C and C servers at the IP level on firewalls? If so, would you be willing to post the range we should block?
From user names in the screenshots, I see at least one compromised machine that appears to be running Micros POS software. Does Dexter appear to be targeting any particular vendor(s) of POS software? Skipping over any major ones?
Do the targeted companies appear to be small shops that would tend to have POS software on their main (only?) computer, or larger chain merchants with infected back-of-house computers? Mix of both?
Can you share fuzzy hashes / CTPH (produced by ssdeep) for these samples?
MICROS (from micros systems inc) does not run on Windows Home Server.
Micros doesn’t run on Home Server, or isn’t supported? You’re assuming the attacker did a good job determining the OS on target machines.
I’d love to find out some more about this malware. The hashes are good, as companies should have measures in place to scan systems for specific file hashes but as far as an initial infection vector or post-infection network traffic, is there any more information?
Snort rules? Samples? IP addresses involved? I think with something that appears to be rather wide-spread, publishing IOCs would be a very noble move
I played around for a minute with Snort, and this seems to detect it based on the post payload.
alert tcp any any -> any any ( msg: “Dexter POS Infostealer”; pcre: “/page=.*\&unm=.*\&cnm=.*\&query=.*\&spec=.*\&view=.*/”; sid: 123456789)
My tests came up with the target IP: 193.107.17.126
I was provided these address as offending addresses from a PCI cert agency…
• 11e2540739d7fbea1ab8f9aa7a107648.com
• 7186343a80c6fa32811804d23765cda4.com
• e7dce8e4671f8f03a040d08bb08ec07a.com
• e7bc2d0fceee1bdfd691a80c783173b4.com
• 815ad1c058df1b7ba9c0998e2aa8a7b4.com
• 67b3dba8bc6778101892eb77249db32e.com
• fabcaa97871555b68aa095335975e613.com
• 173.255.196.136
• 176.31.62.77
176.31.62.77 = 176-31-62-77.this.domain.has.been.sinkholed.by.zinkhole.org
At least one from the list is a sinkhole.
Last week only i have purchased a EPOS software for my restaurant. EPOS software continues to extend into markets across the UK and is also available internationally, serving customers in the US, Australia, Southeast Asia, the Middle East and the Caribbean.
UK point of sale
Why don’t I see any updated news about DEXTER lately? Was it just dismissed as (Zeus/Zbot variant)? My AV company didn’t assure me they stop something called ‘DEXTER’. Any advice / direction appreciated.
Thanks,
-Chris
Is there any posible to online transaction
thanks
Cybercriminals always finds a way to make a move and take advantage on holiday seasons where people tend to splurge money for shopping. This is a very alarming case for shops and retailers since they can considered as victims. Good thing there are available applications and solutions where they could protect their systems.
Nice blog! Thanks for sharing!I want to more information about it.
POS System
And how they obtains the card key?
Pingback: Small businesses beware! Point-of-sale malware is after you | Naked Security