Security Researchers from Cyberbit have discovered a new malware injection technique being used by a variant of Flokibot malware named LockPoS.
A Point of Sale (PoS) malware is a malicious application that steals credit card data from the memory of computers connected to credit card equipment. Once infected the system, the LockPoS malware tries to gain access and read the memory of the current process in use and begin to search for data that have the pattern of credit card information to send to its command and control server.
“Cyberbit malware researchers recently discovered a stealthy new malware injection technique being used by LockPoS that appears to be a new variant of that used by Flokibot.” reads the analysis published by CyberBit.
“LockPoS is a Point-of-Sale (PoS) malware that steals credit card data from the memory of computers attached to point of sale credit card scanners. LockPos reads the memory of currently running processes on the system, searching for data that looks like credit card information and then sends them to the C&C.”
The same botnet associated with the propagation of Flokibot is being used by LockPoS and its source code have some similarities. In that regard, it is important to notice that the malware has some stages to unpack and decryption with different techniques and routines to call the API for injection-related with Flokibot.
There are three main routines used by PoS malware discovered by CyberBit to inject code in the remote process: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx. A core dll file native to Windows System, ntdll.dll, is used in the injection technique. The routines related with ntdll that have a “NT” prefix are associated with Windows API that separates user space from kernel space. The injection technique involves the creation of a section object in the kernel with the use of NtCreateSection to call NtMapViewOfSection as a map to view the section in other process and then copy the code into the section and create a remote thread by using NtCreateThreadEx or CreateRemoteThread to execute the code.
Once a routine from ntdll is called the hexadecimal value of the system call is copied to the EAX register, where a instruction is called to make the thread jump to the kernel mode. The kernel then executes the routine based on the value of EAX register. The parameters from the user stack are copied to the kernel stack and executed.
The malware does not call the routines from ntdll to inject code avoiding Anti Virus detection, instead, it maps the routines from ntdll on the disk to its own virtual address space. By doing so the malware maintains a clean copy of dll that is not detected by anti-virus software.
Also, as Cyberbit researchers noticed, a call to NtMapViewOfSection is handled by the malware for the process of explorer.exe.
“One LockPoS malware injection technique involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code.” continues the analysis.
The security researchers report also notice that improving memory analysis is the only effective way to detection since Windows 10 kernel functions can’t be monitored.
About the author Luis Nakamoto
Luis Nakamoto is a Computer Science student of Cryptology and a enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs – PoS malware, cybercrime)