Minimalist Alina PoS Variant Starts Using SSL

More than four years ago, we published a series of blogs discussing in-depth analysis of Alina Point of Sale (PoS) malware. And for the past four years, it is interesting to see how different iterations of Alina POS malware keeppopping up. We recently came across another modified version of this malware and it came as no surprise that it shared the same codebase with the source code that was leaked years ago. This particular variant was modified to the bare minimum - stripping off rootkit capability, process injection, use of named-pipe and mutex, and use of minimal C&C commands. This variant is so stripped down it also got rid of using version numbers and aliases.

Exfiltration through SSL

Unlike previous Alina variants that had been using a plain HTTP POST to exfiltrate credit card data, this variant had added a layer of encryption by sending POST data through a SSL tunnel.

Port443

Stolen credit card data are first obfuscated by utilizing a legacy XOR scheme previously found in Alina version 5.x (discussed in this blog).

Xor

Then data is tunneled through a POST request using SSL3 with the following flag options:

INTERNET_FLAG_SECURE
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID

SSL_Flags

It is interesting, however, that when downloading an executable file update, this variant still uses a plain old HTTP POST request through port 80 to do so.

Port80

I would say, "fair enough", file updates are not that sensitive unlike stolen credit card data. I hope you would agree with that one!

Minimalistic set of C&C commands

This variant only recognizes three C&C commands:

Command

Description

update=<url>

malware update

dlex=<url>

download and execute file

chk=<crc checksum>

update file checksum

It got rid of the following commands for setting the following configuration below that were previously found in the older variants:

updateinterval=<integer>: Change interval between update requests
cardinterval=<integer> : Change interval between card exfiltration
log=1 : Enable logging
log=0 : Disable logging

Perhaps the attacker didn't have intention of changing the settings on-the-fly and just set hardcoded values in the malware code.

Settings2

Blacklists

It seems every new Alina variant includes an updated blacklist of processes that are not scraped for credit card data. This version takes the same blacklist from Alina 5.x versions and adds additional applications to the list:

From Alina 5.x:

explorer.exe
chrome.exe
firefox.exe
iexplore.exe
svchost.exe
smss.exe
csrss.exe
wininit.exe
steam.exe
devenv.exe
thunderbird.exe
skype.exe
pidgin.exe
services.exe
dwm.exe
dllhost.exe
jusched.exe
jucheck.exe
lsass.exe
winlogon.exe
alg.exe
wscntfy.exe
taskmgr.exe
spoolsv.exe
QML.exe
AKW.exe

Additional process names added:

OneDrive.exe
VsHub.exe
Microsoft.VsHub.Server.HttpHost.exe
vcpkgsrv.exe

Logging of scraped credit card data

This variant creates a file named "wshelper.cache.dll" in the current directory where it logs scraped credit card data in plain text.

Logcode

We can add that dumping plain text CC details to a file is a naïve move on the part of the attackers and could serve as a strong IOC for the defenders.

LogCCe

Installation and Persistence

Unlike previous versions, this variant register itself as a service with the following details. The installation can be invoked by the command line option "install"

Service name: WinErrSvc
Display name: Windows Error Reporting Service Log
Description: Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. If this service is stopped, error reporting might not work correctly and results of diagnostic services and repairs might not be displayed.
Path to executable: <malware path>

To reverse the installation, it can be removed by the command line parameter "uninstall" and can be restarted with the option "restart".

Install

Conclusion:

Perhaps one of the reason why we keep seeing new variants of Alina POS is the accessibility of its source code and it is freely available to anyone. It will be no surprise if we see another version of it in the future either stripped or with more improvements.

Even though the addition of SSL capability for credit card exfiltration makes it a little bit harder for defenders to detect Alina's network activity, some other aspect of it are easily detectable including downloading of executable files in plain HTTP. We've listed indicators below to help incident response detect it.

IOC:

File/FolderDescriptionSHA1

C:\Windows\System32\config\systemprofile\AppData\Roaming\ntkrnl
copy of itself encrypted with RC4 with the key "123456"6fe0e91b2c96c7233dd1cdfc3ac30aa5a57a8fd6
C:\Windows\System32\config\systemprofile\AppData\Roaming\Installedfolder
wnhelp.exemain malware executable713f68e8f30d37cb00d60414ce60fb3f6d645946
wshelper.cache.dlllog file for credit card data

Registry key:

HKEY_LOCAL_MACHINE\Software\CurrentControlSet\services\WinErrSvc
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion value:identifier

Exfiltration URL:

www[.]sagdao[.]com/wp555/gate1.php

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.