Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

How Antivirus Saved the Day…Sort of.

Recently, I found myself in a common situation—helping a comrade in our Incident Response division on an ongoing forensic investigation. The information provided was simple, as two pieces of malware were discovered on a point of sale device, and at least one of them was grabbing track data(cardholder data) on the infected system. What started as a somewhat typical reverse engineering engagement quickly transpired into an interesting and unusual scenario where I found myself relying on assistance from antivirus software in an unexpected way. And so our story begins…

So let's paint the picture for everyone. As mentioned earlier, I was given two pieces of suspect malware that were identified by Incident Response. One sample was very straightforward, as it appeared to be a variant of the popular Sality Trojan family. I didn't even have to dig into the file to find out, as there are a number of A/V detections already in place. So what's Sality you ask? Well, it's a quite old piece of malware for one. Some reports date it back to as far as 2003. It has a number of capabilities, but  certainly it's most known is the ability to infect other PE files on the system. Specifically, Sality has the ability to infect other EXEs and SCRs(Screensaver files). This file, as expected, dumps a library file (DLL) to the system32 directory, and proceeds to load it with a specific function name.

We can see below a snippet of what I mean, as pretty much every A/V in existence has detections in place for this family:


* Please note the list above is not all-inclusive, and I'm sure there are many other vendors with detections in place.

So as it happens, I did end up digging into it because I thought the sample was cool, but the point remains that this malware wasn't something that should be considered part of a targeted attack on a point of sale system. This is more of the type of malware you'd expect to see on your Aunt Sally's computer after she went to some link she saw in an email.

So it looks like I have a pretty good handle on that particular sample. Certainly malicious, but nothing inside led me to believe that this sample was targeting track data on the victim. That leads me to sample #2.

This sample, unlike #1, wasn't as straightforward as previously hoped. It had roughly the same number of detections by A/V, all of which indicated that this malware was Sality, just like the first piece of malware. What was unusual about this sample was the fact that it looked nothing like #1. Typically, if it's a variant of a malware family, you're going to see some evidence of similarity. In this case, very little "likeness" was seen in this sample when comparing it to the first one. That being said, there was one thing that this malware shared with the first one, both samples dropped the same library file (DLL) in the system32 directory, and proceeded to load it with a specific export name during runtime. Other than that, however, these samples were very distinct.

One thing that made sample #2 so unique is that it included evidence that it was malware that targeted track data, which was great news. The problem? Sality was never known to target track data. This, initially, left me scratching my head. My brain began racing to a number of crazy situations—Did I just discover a brand new variant that targets banking data? Perhaps the author was able to get his/her hands on the Sality source code and was making modifications for a targeted attack against this client?

Alas, the answer, as is often found in life, was much more simple. Further inspection of these samples revealed that the second piece of malware (the one targeted track data), had an added section (named 'sr data'),with some obfuscated data:


Remember how I said earlier that the Sality family of malware infected other samples? Well, guess what—That's exactly what happened. In some strange coincidence, both the banking malware and Sality wound up infecting this system. The banking malware was most likely the result of a more targeted attack, whereas Sality probably wound up getting placed on there via a more automated method. Perhaps someone was using this box to browse the web, or perhaps another system on the network infected it. It's hard to say for sure.  The funny thing is, once Sality got its hands on the system, it proceeded to infect this banking malware along with everything else. So what we are left with is malware that is infected with other malware.


Armed with this information, I was able to use one of the many antivirus products at my disposal (went with Kaspersky, but really most of them would have been sufficient) and proceeded to 'disinfect' my malware, leaving me with wonderful, non-modified …malware. At this point, I was able to take this new sample and perform my analysis with much more ease. No more broken assembly, and no more random PE sections in the file. This 'clean' malware was no longer caught by any antivirus product I had access to, which left me feeling a bit underwhelmed. I was glad to accept assistance in the disinfection process, but saddened that this new piece of malware was not caught. But that's life—you win some and you lose some. Overall, this was a pretty strange situation to find malware battling it out on the infected system. And with that, I leave you with an XKCD comic.



Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More