STOP WME.exe Point of Sale Malware using Symantec CSP

 

What you need to know…

The US-CERT Malware Analysis Report published 17 March, 2016 has provided specifics on a new piece of Malware which is circulating in wild.  This malware harvests LogMeIn credentials data, and then targets a specific, in use Point of Sale application process and performs memory scraping against it in an effort to harvest customer credit card information, which is then exfiltrated (via DNS Query) to the attackers’ command and control (C2) server for retrieval.  The basic workflow for this malware is as follows:

 

MalwareProcess1

 

At the time of the publication, traditional detection and identification methods, including signature-based anti-malware applications, lacked sufficient data to adequately prevent propagation execution of this threat.  Additionally, the malware was digitally signed, in an effort to circumvent security controls based on process signature and validation; this signature has since been revoked. While this threat represents a specific point of example, its visibility helps to raise the question of how best to protect against activity of this nature, in particular with regard to systems which are both sensitive in nature AND which often present limited facilities for centralized management and control.

Considerations

This Malware was written to target a specific Point of Sale application with the intent of harvesting customer credit card data, and then exfiltrating that data to the attackers’ Command and Control server via means of a ubiquitous and commonly used channel (DNS).  Due to the tailored nature of the threat, coupled with the inherent factors of its’ intended target environment, several unique considerations become significant factors in positioning a countermeasure.  These include:

…The Malware, at time of publication, was poorly represented in traditional AV signatures.  This greatly reduces the effectiveness of signature based malware detection as a preventative control.

…The target environments typically reside on either isolated and/or fragmented networks, reducing the means of centrally monitoring and managing their security posture and disposition.

…The target application handles highly sensitive (PCI) data that also provides a direct financial value to the attacker.  This implies not only persistence in delivering the malware is warranted, but also that persistence in evolution to evade trailing detection mechanisms is also likely to follow.

Taken together, these factors create a situation where the attacker is financially motivated to ensure malware delivery, but is also motivated to ensure successive generations of the malware should follow, to evade detection and containment mechanisms.  Additionally the nature of the target environments potentially leaves them very difficult to actively monitor and track effectively, despite their high value and sensitive nature.  An ideal solution to this scenario is one which provides an effectively insurmountable security control, which does not require continuous management, and which addresses and preserves the trust state of the environment as a whole.

Countermeasures

The scenario outlined above can be addressed by a strategy which centers on establishment and preservation of asset trust.  Specifically, a security control is introduced which identifies the trusted processes which are authorized for execution on the asset, and which profiles the expected and acceptable activities undertaken by those trusted processes.  Any process or action which is not considered trusted under this dynamic is automatically denied upon request.  This has the effect of severely limiting the actions available to any potential attacker (to potentially none).

Examples of this technology, such as Symantec Embedded Security: Critical System Protection, can and will isolate each trusted process in a container (or Sandbox) and address the approved actions for each process specifically.  This allows for a great degree of granularity and control over the allowances, and in the case of a relatively static environment, such as is commonly found in POS stations, can be achieved with a minimum of recurring overhead, as the allowances and authorizations, once set, do not require change unless the system configuration is intentionally changed by the owners.  These applications are also optimized to run in a lightly managed state where needed, and can employ a hands-off approach for cases where central management is not feasible.

When we apply the previously described attack workflow to a control such as Symantec Embedded Security, we gain the benefit of several inherent security restrictions which prevent each successive action based on trust and based on authorization.  As this process is not an authorized one in any sense, NONE of the actions it would attempt to perform (including being launched in the first place) would actually be allowed to occur, as illustrated in the following example:

MalwareProcess_DCS (2)

Additionally, this control remain effective against successive generations or evolution of the threat under the same protection framework, without additional modification from the administrators to maintain the posture.

Conclusion

In conclusion, the correct approach and strategy, based on establishing and enforcing asset and transactional trust, can effectively mitigate this type of malware as outlined, and can remain an effective control for the foreseeable future in these scenarios.