Dexter – Draining blood out of Point of Sales

by on | Leave a comment
Filed under Research Lab and tagged , .

D

The holiday season is here and with it comes a rise in credit card use. Cybercriminals know this and have been infecting consumer PCs with information stealing trojans for years. Recently however, Seculert identified a growing trend whereby cybercriminals are targeting Point of Sale (POS) systems. Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware. Dexter is one example of such malware.

Dexter is custom-made malware that has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted POS systems include big-name retailers, hotels, restaurants and even private parking providers. The name Dexter comes from a string found in one of the malware related files and its Track 1 / Track 2 online parsing tool (See Figure 1).


Figure 1: Dexter’s Track 1 / Track 2 online parsing tool

The POS systems targeted by Dexter are located in 40 different countries worldwide. 42 percent of the POS systems are located in North America, while 19 percent are located in the United Kingdom (See Figure 2).


Figure 2: Dexter targeted POS systems by country

Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for
Track 1 / Track 2 credit card data. This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system (see cloning demo video here).

How POS systems are targeted is yet to be known for sure, but by observing the administration panel of Dexter (See Figure 3), Seculert was able to identify that over 30 percent of the targeted POS systems were using Windows Servers (See Figure 4). This is an unusual number for regular “web-based social engineering” or “drive-by download” infection methods.


Figure 3: Dexter targeted POS system administration panel

Figure 4: Dexter targeted POS systems by operating system

The following are MD5s of Dexter related malware samples:
2d48e927cdf97413523e315ed00c90ab
70feec581cd97454a74a0d7c1d3183d1
f84599376e35dbe1b33945b64e1ec6ab
ed783ccea631bde958ac64185ca6e6b6


Is your network compromised? Sign-up to discover threats your other security solutions have missed.



18 thoughts on “Dexter – Draining blood out of Point of Sales

  1. Keydet89

    Are the targeted systems POS devices, or back office servers?

    I ask, as when I was performing these types of exams, we found RAM scrapers on the back office server…the actual POS devices themselves didn’t run Windows.

    If the POS devices are what’s being compromised, that’s interesting…many smaller organizations may have many POS devices, but only one back office server.

    How would you think that the bad guy is gaining access to the POS device?

    Reply
  2. NetDef

    Would there be any mitigating value in blocking the C and C servers at the IP level on firewalls? If so, would you be willing to post the range we should block?

    Reply
  3. Anonymous

    From user names in the screenshots, I see at least one compromised machine that appears to be running Micros POS software. Does Dexter appear to be targeting any particular vendor(s) of POS software? Skipping over any major ones?

    Do the targeted companies appear to be small shops that would tend to have POS software on their main (only?) computer, or larger chain merchants with infected back-of-house computers? Mix of both?

    Reply
  4. Anonymous

    Micros doesn’t run on Home Server, or isn’t supported? You’re assuming the attacker did a good job determining the OS on target machines.

    Reply
  5. Adam

    I’d love to find out some more about this malware. The hashes are good, as companies should have measures in place to scan systems for specific file hashes but as far as an initial infection vector or post-infection network traffic, is there any more information?

    Snort rules? Samples? IP addresses involved? I think with something that appears to be rather wide-spread, publishing IOCs would be a very noble move ;-)

    Reply
  6. MattNetHood

    I played around for a minute with Snort, and this seems to detect it based on the post payload.

    alert tcp any any -> any any ( msg: “Dexter POS Infostealer”; pcre: “/page=.*\&unm=.*\&cnm=.*\&query=.*\&spec=.*\&view=.*/”; sid: 123456789)

    My tests came up with the target IP: 193.107.17.126

    Reply
  7. Anonymous

    I was provided these address as offending addresses from a PCI cert agency…

    • 11e2540739d7fbea1ab8f9aa7a107648.com
    • 7186343a80c6fa32811804d23765cda4.com
    • e7dce8e4671f8f03a040d08bb08ec07a.com
    • e7bc2d0fceee1bdfd691a80c783173b4.com
    • 815ad1c058df1b7ba9c0998e2aa8a7b4.com
    • 67b3dba8bc6778101892eb77249db32e.com
    • fabcaa97871555b68aa095335975e613.com
    • 173.255.196.136
    • 176.31.62.77

    Reply
    1. Anonymous

      176.31.62.77 = 176-31-62-77.this.domain.has.been.sinkholed.by.zinkhole.org

      At least one from the list is a sinkhole.

      Reply
  8. .

    Last week only i have purchased a EPOS software for my restaurant. EPOS software continues to extend into markets across the UK and is also available internationally, serving customers in the US, Australia, Southeast Asia, the Middle East and the Caribbean.

    UK point of sale

    Reply
  9. Anonymous

    Why don’t I see any updated news about DEXTER lately? Was it just dismissed as (Zeus/Zbot variant)? My AV company didn’t assure me they stop something called ‘DEXTER’. Any advice / direction appreciated.
    Thanks,
    -Chris

    Reply
  10. Amber Rice

    Cybercriminals always finds a way to make a move and take advantage on holiday seasons where people tend to splurge money for shopping. This is a very alarming case for shops and retailers since they can considered as victims. Good thing there are available applications and solutions where they could protect their systems.

    Reply
  11. Pingback: Small businesses beware! Point-of-sale malware is after you | Naked Security

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>