A new investigation by the Cylance Consulting Services team has uncovered a new variant of the RawPOS malware which is regarded one of the earliest pieces of malware that targets payment card data.
Announced by Brad Arndt, threat research manager at Cylance, this family of POS malware has been widely documented to be in operation since 2008. Numerous retail operations of various sizes have been compromised with this malware and its variants.
According to Cylance, the new variant is rehashing old malware, and one of the ways it evaded detection is by using a different signature to avoid being detected by antivirus. The variant of RawPOS found by Cylance, “is only slightly updated”.
In a blog post, Arndt explains that: “poorly-written signatures give people a false sense of security. This ‘antivirus is dead' argument is often presented, but with little technical detail to highlight specifically why this is the case.”
Because of this, Cylance says the RawPOS variant went undetected for well over 30 days by another antivirus vendor. By the time the vendor deployed custom DAT files, Cylance boasted the only samples identified were in the quarantine directory of its own product.
The malware has an updated naming scheme for where it places the dumped memory files. It also removes the “help” text from the binary. “As of writing, this file was undetected by the legacy AV vendor displaced in this instance,” said Arndt.
It has even removed some functionality, “which is rare considering developers code to add features,” said Arndt. The big question is, “why would a malware author remove code from their newer variant? This is most likely an attempt to evade signatures, as evidenced on the code areas that changed.”
The effort required to evade these signatures that were built on string literals is rather low. Changing the amount of prints used in 40146E (old variant), removal of the help banner, and some simple string manipulation was all that was required to evade these signatures.
The second open source signature has the right idea by using $_main to generate a signature off the function that performs time-check, which has not changed. This still misses the mark as the function has changed, however, the signature needs adjustment to catch this version that has the time-check.
Arndt pontificated that, “analysis shows how little effort has to be invested to bypass signature-based technologies. This shows that malware with roughly the same functional capabilities can adopt minor tweaks and evade legacy AV vendors.”
And concluded: “Relying on signature-based detection mechanisms as a core component of your security stack can lull one into a false sense of security. The alerts will be generated on variants that are known/documented and won't be future-proofed for any similar familial variants post signature deployment. The level of development effort that this author had to commit to avoid this signature has been shown to be pretty low.”