Alina Continues to Spread its Wings

Another day, another variant of Alina—or so it would seem. For those unfamiliar, Alina is a point of sale (PoS) malware family that dates back to late 2012.  Some of you might recall I previously investigated this malware family, and more specifically, its evolution. You can find those articles here and here.

More recently, my friend Eric Merritt spoke about the Alina ‘Spark’ variant. Today, I’d like to announce the latest Alina variant, which I’m dubbing ‘Eagle’. Eagle appears to have been around since September 2014.

The file that I’ll be discussing throughout this blog post can be found here.

In my research on this variant, I found that HP discussed it a couple months ago. While HP’s overview is excellent, I wish to expand on a couple areas it didn’t cover.

Backstory

Alina was originally written in late 2012. Throughout early 2013, Alina saw a very active development period, where many new versions were created in a very short timeframe. Alina has historically performed memory scraping against Microsoft Windows PoS devices in order to steal track data. This malware family also came equipped with a command and control (C&C) component that could be used to exfiltrate data and also accept commands. Such examples of these commands included downloading and executing further malware, updating itself, and modifying Alina’s settings.

In October 2013, it was reported that Alina’s source code was being sold on underground forums for $2,000. Since then, we have several times seen characteristics of Alina in other PoS malware families. The popular Backoff and JackPOS malware families are two such examples. In addition to these new families, we’ve also encountered newer variants of Alina that presumably used the source code that was sold.

The Eagle variant shares many characteristics with the Spark variant, but makes a number of modifications to its code base.

Similar Characteristics

Similar to Spark, Eagle installs itself to the %APPDATA%\Install directory. However, in this particular case, it will name itself ‘winfax12.exe’.

Winfax.exe and ntfs.dat installed in the %APPDATA%\Install folder

The ‘ntfs.dat’ file continues to store the eight-byte unique identifier for the victim. It also applies the same technique of using the last two bytes of the victim’s volume serial ID for this unique identifier.

The Eagle variant achieves persistence using the following registry key.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winfax12 - %APPDATA%\Install\winfax12.exe

The name of the stored key has been updated to remain consistent with the executable name that Alina uses.

Eagle also uses named pipes, as previously seen in Spark and Alina 5.x. This particular variant uses the following pipe.

\\.\pipe\Eagle[unique victim id]

Eagle has added some names to its blacklist of processes to ignore when performing memory scraping. This both adds speed to the memory scraping process, and limits the number of false positives. The full list can be seen below.

explorer.exe
hostmgr.exe
java.exe
svchost.exe
wininit.exe
thunderbird.exe
dwm.exe
jucheck.exe
alg.exe
spoolsv.exe
chrome.exe
oimanagerapp.exe
firefox.exe
smss.exe
steam.exe
skype.exe
dllhost.exe
lsass.exe
wscntfy.exe
QML.exe
dbsrv10.exe
logmein.exe
iexplore.exe
csrss.exe
devenv.exe
services.exe
jusched.exe
winlogon.exe
taskmgr.exe
AKW.exe

The C&C component has remained constant for the most part, as Eagle uses the same obfuscation routine witnessed in Spark and other newer variants. Using an example outbound POST request, we can see this decryption below.

Decrypted outbound POST request from Alina Eagle variant

Unlike previous versions of Alina, the Eagle variant uses the following User-Agent.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Eagle Special v12 -> 1.1

Brand New Characteristic

A notable addition to Eagle is its ability to extract VNC credentials. VNC, or Virtual Network Computing, is a remote administration system that comes in many different flavors. It’s widely used by individuals and organizations across the globe to remotely administer machines.

Eagle attempts to extract the credentials to the following VNC applications by querying the victim’s registry.

  • TightVNC
  • RealVNC
  • TigerVNC

Unfortunately for the author, he/she had a bug where the offset to the Unicode string was off by one.

Eagle querying registry strings at the wrong offset

This resulted in a number of registry queries to a series of null bytes. This of course resulted in failed registry queries, and Eagle was unable to acquire the data it was looking for.

Failed registry queries

While this particular block of code failed, another function was included to extract UltraVNC credentials from the UltraVNC.ini file. This functionality works as expected.

Should Eagle identify any VNC credentials, it will extract them by emailing a @yahoo.com address via SMTPS using port 465. The emails are sent from a @strongboltmail.com email account.

Detection

In order to help malware researchers and defenders, the following YARA signature can be used to detect almost all known versions of Alina, including Spark and Eagle. I’ve also included it on the Nuix GitHub page.

rule alina
{
      meta:
            description = "This rule will detect a family of malware named Alina that is responsible for memory scraping and exfiltration (C&C). The malware targets track data on point of sale devices."
            author = "Josh Grunzweig"
            company = "Nuix"
      strings:
            $regex1 = "(((%?[Bb])[0-9]{13,19}\\^[A-Za-z\\s]{0,26}/[A-Za-z\\s]{0,26}\\^(1[2-9])(0[1-9]|1[0-2])[0-9\\s]{3,50}\\?)[; ]{1,3}([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\\?))"
            $regex2 = "([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\\?)"
            $regex3 = "((%?[Bb])[0-9]{13,19}\\^[A-Za-z\\s]{0,26}/[A-Za-z\\s]{0,26}\\^(1[2-9])(0[1-9]|1[0-2])[0-9\\s]{3,50}\\?)"
            $user_agent1 = /Alina v\d+\.\d+/ nocase
            $user_agent2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Spark v"
            $log1 = "{[!40!]}{[!4!]}{[!36!]}"
            $log2 = "{[!29!]}{[!32!]}"
            $log3 = "{[!30!]}{[!31!]}{[!4!]}"
            $log4 = "{[!2!]}{[!20!]}{[!21!]}"
            $blacklist1 = "explorer.exe"
            $blacklist2 = "chrome.exe"
            $blacklist3 = "firefox.exe"
            $blacklist4 = "iexplore.exe"
            $blacklist5 = "svchost.exe"
            $blacklist6 = "smss.exe"
            $blacklist7 = "crss.exe"
            $blacklist8 = "wininit.exe"
            $blacklist9 = "steam.exe"
            $blacklist10 = "devenv.exe"
            $blacklist11 = "thunderbird.exe"
            $blacklist12 = "skype.exe"
            $blacklist13 = "pidgin.exe"
      condition:
            (any of ($regex*)) or ((all of ($blacklist*)) and (any of ($user_agent*))) or (any of ($log*))
}

Conclusions

Overall, this variant is interesting in that it has added the ability to obtain VNC credentials. Certainly, this would likely prove useful to the attackers in gaining access to other systems that use the same authentication mechanism. While the majority of the variant’s functionality is consistent with Spark, the newer compile timestamps demonstrate that Alina’s source code is still alive and well. I’m sure we’ll continue to see further variants of this family as time goes on. 

Security & Intelligence
Chief Information Security Officer
Information Security Professional
Risk and Security Manager

Josh Grunzweig

Josh was a Principal Security Consultant for Malware Analysis at Nuix. With multiple years of experience dealing with malicious campaigns and files, he’s performed analysis on thousands of samples. Josh has spoken at a number of security conferences and periodically writes or contributes to technical blog posts. Additionally, Josh often works with local and federal law enforcement in assisting them with ongoing investigations.

 

Read More