Industry Trends

GamaPoS - .NET PoS Malware In the Wild

By Hong Kei Chan | July 20, 2015

GamaPoS has received a fair amount of attention since its discovery, in part because the use of .NET is (currently) unique among PoS malware and in part because it leverages the versatile Andromeda botnet. At its core, though, GamaPoS is a scraper designed to steal payment data from the RAM of PoS systems. 

GamaPoS is the first documented PoS malware to be written in .NET. Malware written in .NET comes with its advantages and its disadvantages, both for authors and researchers. The most obvious benefit for its authors is that it is quicker to develop, but the binaries are much easier to disassemble. 

The use of .NET has other implications as well. There are open source tools, such as ILSpy, that can decompile the executable into readable source code. This can be quite concerning as it is very simple for "kiddies" to disassemble the malware, and create new variants of the malware.

To prevent GamaPoS from being easily diassembled, a number of the samples were obfuscated using open source software such as ConfuserEx v.0.3.0. This report is a short analysis of the functions of GamaPoS; the C&C communication, and the scraper.

Using ILSpy we can decompile the .NET executable and view the Classes and namespaces.

Under the namespace 'core', we can already observe a number of Classes related to a PoS malware.  

The start of GamaPoS's execution is to establish persistence on the infected host. The persistence techniques include dropping a copy of itself to the following location and creating an autorun registry:

  • %AppData%\Intel Wired Network Adapter\conhost.exe

Once persistence has been setup, the functions typical to most PoS malware can run:

  1. Adjust SeDebugPrivileges - Gain access to system-level processes
  2. Read Process Memory
  3. Pass the memory through Track 2 scraper
  4. Deliver stolen credit cards to C&C server

Credit Card Parser
There are various techniques that can be used to scrape process memory for Track 2 data. They can either use regular expressions or use a custom method. GamaPoS uses a custom method similar to what we have seen in Backoff malware and JackPoS. GamaPoS will first search for Track 2's begin sentinel ';' and then check the first couple of digits (IIN) which are associated with a number of the larger credit card issuers.

  1. 1800 - JCB
  2. 2131 - JCB
  3. 34,37 - American Express
  4. 4 - Visa
  5. 51-55 - Master Card
  6. 6011, 65 - Discover Card

The above figure is a snippet of the code that checks for digits between 51-55 and sets the credit card number length.

Along with filtering for only the credit card issued by the above mentioned vendors, GamaPoS will also check for a valid expiration date that comes after the field separator '='/'D'/'d'. The service code and the end sentinel are the last things to be checked before the credit card data is written to file.  It is interesting to note that unlike most PoS malware we've seen in the past, GamaPoS does not add a Luhn check on the primary account numbers. 

GamaPoS will write all stolen credit card information to a text file stored in the current working directory where the filename is the host's MAC address.

C&C Communication
GamaPoS uses SSL to communicate with the C&C server. GamaPoS will first check for a live C&C server by cycling through a hardcoded list of control panels. The following is a snippet of the code that is responsible for selecting a live control panel with which the infected host will communicate.

The following snippet of code is responsible for checking in or sending stolen credit card information to the C&C server. As we can see, along with the infected host's MAC address, track 1 and track 2 parameters are also present. 

As track 1 has more complex structure, but is not absolutely necessary in creating a duplicate card, the malware authors have only opted to scrape and send track 2 data.

GamaPoS is able to receive and execute 3 commands issued by the control panel. The commands are basic and received in the response from the server each time the bot checks in or uploads stolen credit card data.

  1. "exec" - download file to %Temp% and execute
  2. "update" - update own binary
  3. "kill" - Remove the autorun registry, kill running process

As you can see, the function of GamaPoS is not especially novel. What is novel is the use of .NET to develop the malware. The use of .NET means that it should be even easier for cybercriminals to develop new variants. We'll be watching closely to see how this threat evolves.

Join the Discussion