{ "type": "bundle", "id": "bundle--570982d2-f5bc-47e9-9b25-297702de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:36:17.000Z", "modified": "2016-04-09T22:36:17.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--570982d2-f5bc-47e9-9b25-297702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:36:17.000Z", "modified": "2016-04-09T22:36:17.000Z", "name": "OSINT - ModPOS: A Framework Lurking in Point-of-Sale System Kernels", "published": "2016-04-09T22:36:29Z", "object_refs": [ "observed-data--570982f0-89b8-430c-9882-297f02de0b81", "url--570982f0-89b8-430c-9882-297f02de0b81", "x-misp-attribute--57098301-f488-4ac6-8806-297802de0b81", "indicator--57098322-d684-4142-82d1-39e802de0b81", "indicator--57098323-6168-4d41-b312-39e802de0b81", "indicator--570983c8-5140-4be6-b915-297e02de0b81", "indicator--570983e1-5af0-45b0-97dc-39e902de0b81", "indicator--570983e1-9308-4e15-8828-39e902de0b81", "observed-data--570983e2-3f88-44a0-8df6-39e902de0b81", "url--570983e2-3f88-44a0-8df6-39e902de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570982f0-89b8-430c-9882-297f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:32:16.000Z", "modified": "2016-04-09T22:32:16.000Z", "first_observed": "2016-04-09T22:32:16Z", "last_observed": "2016-04-09T22:32:16Z", "number_observed": 1, "object_refs": [ "url--570982f0-89b8-430c-9882-297f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570982f0-89b8-430c-9882-297f02de0b81", "value": "http://labs.lastline.com/modpos-a-framework-lurking-in-point-of-sale-system-kernels" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57098301-f488-4ac6-8806-297802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:32:33.000Z", "modified": "2016-04-09T22:32:33.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Diving deeply into the ModPOS malware framework using sandbox process snapshotting\r\n\r\nPoint-of-sale (POS) systems are amongst the most valuable targets for attackers today: with direct access to systems processing payment information, miscreants are able to circumvent any encryption between point-of-sale devices and the payment processor, allowing them to spy on - or even tamper with - sensitive payment information.\r\n\r\nWith ModPOS malware authors have developed a system that not only compromises payment processes at the origin device, but, at the same time, it does so from the kernel of these systems, well outside the reach of most security solutions.\r\n\r\nAs we will describe in this post, the ModPOS malware is much more than a system for compromising POS systems: it is a versatile framework that allows an attacker to leverage a practically unlimited range of tools to interfere with a compromised system. Even more, this malware works on any 32-bit Microsoft Windows system (many POS systems on the market today are still running on Microsoft Windows XP) allowing to use this malware on more than just POS systems.\r\n\r\nBy leveraging process snapshots extracted by the Lastline FUSE sandbox, we walk through the most important parts of this versatile framework. We will show in detail how the infection spreads through the entire operating system, and how the attackers behind ModPOS can leverage the framework to load arbitrary plugins into user- and kernel-space of an infected system." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57098322-d684-4142-82d1-39e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:33:06.000Z", "modified": "2016-04-09T22:33:06.000Z", "description": "The variant that we analyzed for this blog uses an HTTP POST for requesting the page \"/robots.txt\" on the following IPs", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '130.0.237.22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-09T22:33:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57098323-6168-4d41-b312-39e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:33:07.000Z", "modified": "2016-04-09T22:33:07.000Z", "description": "The variant that we analyzed for this blog uses an HTTP POST for requesting the page \"/robots.txt\" on the following IPs", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.72.149.42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-09T22:33:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570983c8-5140-4be6-b915-297e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:35:52.000Z", "modified": "2016-04-09T22:35:52.000Z", "pattern": "[file:hashes.MD5 = 'cf446e1d423afb9933b211d28d3ea33a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-09T22:35:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570983e1-5af0-45b0-97dc-39e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:36:17.000Z", "modified": "2016-04-09T22:36:17.000Z", "description": "- Xchecked via VT: cf446e1d423afb9933b211d28d3ea33a", "pattern": "[file:hashes.SHA256 = '2aa35ae062f83248585b924dd668ed0a1a3089550a772900789b0feba1a923bb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-09T22:36:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570983e1-9308-4e15-8828-39e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:36:17.000Z", "modified": "2016-04-09T22:36:17.000Z", "description": "- Xchecked via VT: cf446e1d423afb9933b211d28d3ea33a", "pattern": "[file:hashes.SHA1 = '36951f140723ef6a51bdff5d6da4eca8734bf24c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-09T22:36:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570983e2-3f88-44a0-8df6-39e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-09T22:36:18.000Z", "modified": "2016-04-09T22:36:18.000Z", "first_observed": "2016-04-09T22:36:18Z", "last_observed": "2016-04-09T22:36:18Z", "number_observed": 1, "object_refs": [ "url--570983e2-3f88-44a0-8df6-39e902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570983e2-3f88-44a0-8df6-39e902de0b81", "value": "https://www.virustotal.com/file/2aa35ae062f83248585b924dd668ed0a1a3089550a772900789b0feba1a923bb/analysis/1449594049/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }