Remember the 2017 and 2018 Click2Gov breaches that compromised 300,000 payment cards?  Not surprisingly, hackers are at it again. Accenture teams have discovered a new set of tools remote attackers can use to collect credit card information from Click2Gov installations.

Thanks to some clever investigative work by our people in Security Cyber Investigation and Forensics Response (CIFR) and Cyber Threat Intelligence (iDefense), we were able to reverse-engineer the attackers’ tools and identify them as click2govstomper and click2govscraper. Then, working collaboratively, CIFR and iDefense determined that this unknown threat actor group may be actively targeting as many as 1,800 municipalities running Click2Gov software.

The attacker’s tools seem to have been designed to capture credit card data input by users of the Click2Gov software (click2govscraper) and store the captured data for collection by click2govstomper.

Within the attacker’s customized tooling, CIFR and iDefense noted the MITRE ATT&CK tactics listed below.

MITRE Tactic Description Used By
T1048 Exfiltration Over Alternative Protocol Click2govscraper
T1020 Automated Exfiltration Click2govstomper
T1074 Data Staged Click2govscraper
T1145 Private Keys Click2govscraper
T1050 New Service Click2govstomper
T1059 Command-Line Interface Click2govstomper
T1099 Timestomp Click2govstomper

The click2govscraper (T1059, T1020, T1145, T1074) attacker tool enables a debugging interface built into the Click2Gov software to capture the data to a temporary file in the system temporary directory and runs as a Windows service to maintain persistence on the impacted device (T1050). Click2govstomper collects the output from click2govscraper and writes it to files in a web-accessible directory as a Base64-encoded blob with a false PNG file extension (T1020, T0174). The file is written with a modified timestamp (T1099) in order to thwart investigations. Upon access to the false PNG (T1048) file, click2govstomper then overwrites the PNG file with new data.

Click2govscraper forcing debugs

The CIFR and iDefense teams were also able to show that click2govscraper can be used by the remote attackers to force a debug condition in the Click2Gov platform.

Malware capabilities

Click2govscraper accepts a command line argument “I,” which invokes sub_1400027D0 for creating a new service, certsvc, with the display name “Certificate Policy Service.”

The figure below shows presence of a service under NT AUTHORITY\SYSTEM created by click2govscraper.

Figure shows presence of a service under NT AUTHORITY\SYSTEM created by click2govscraper.

Copyright © 2020 Accenture. All rights reserved.

Copyright © 2020 Accenture. All rights reserved.

click2govscraper also accepts an argument “u” that invokes sub_1400028F0, which then terminates and deletes the certsvc. Below is the pseudo code of sub_1400028F0.

Figure shows the pseudo code of sub_1400028F0

Copyright © 2020 Accenture. All rights reserved.

Upon proper installation, and if the fraudulent service certsvc is already running, the malware calls WSAStartup function by specifying version 2.2, which later initiates use of the Winsock DLL by a certsvc process.

The malware queries GetWindowsDirectoryA to determine Windows directory and checks for the presence of the following file: %WINDIR%\temp\~0930.dat To ensure that only one instance of the malware is running, the malware creates a Mutex under the unique name of B7041BBE-2E0D-4337-A896-3CDA33A8A0F0.

The malware then starts a socket listener by invoking sub_140001C90, inspects TCP traffic of port 8000 (0x1F40), and continues to save the captured packets until the buffer size reaches 102399 (0x18FFF) bytes or the stream contains POST /OnePoint/services/OnePointService. The malware then searches for the following tags inside the saved buffer:

<soapenv:Body>
</soapenv:Body>

Next, the malware checks if the size of the content between the two tags is smaller than 10239 (0x27FF) bytes and invokes sub_140001000 on the captured content. The sub_140001000 performs a standard Base64 encoding, and the malware writes the Base64 encoding into a file identified as %WINDIR%\\temp~0930.dat.

Copyright © 2020 Accenture. All rights reserved

The malware also executes a similar socket listener by invoking sub_140001B30, which listens to local host (127.0.0.1) traffic. This action allows the malware to capture internal communications between different components of a targeted payment system. The pseudo code of sub_140001B30 is shown below.

Figure displays the pseudo code of sub_140001B30

Copyright © 2020 Accenture. All rights reserved

The malware now calls sub_140001C90 to inspect the TCP traffic on port 443 (0x1BB).

The malware now calls sub_140001C90 to inspect the TCP traffic on port 443 (0x1BB).

Copyright © 2020 Accenture. All rights reserved

The highlighted Base64-encoded string MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6 in its decoded form is 0123456789abcdefghijklmnopqrstuvwxyz — a common passphrase for an encrypted private SSL key. It appears that the targeted payment system is either using a very weak passphrase or the malware is manipulating the encrypted traffic. The malware is not using any known privilege escalation methods and according to embedded Manifest information, it just uses the (security) execution level of the caller. Additionally, the malware does not have lateral movement functionality by itself.

Indicators of compromise

CIFR and iDefense’s analysis surfaced the following indicators of compromise associated with a current campaign that may be present within compromised Click2Gov installations:

  • Presence, creation or deletion of certsvc Windows Service with the display name Certificate Policy Service. This fraudulent service is executed under NT AUTHORITY\SYSTEM authority.
  • Presence, creation, deletion or access to of ~0930.dat file under %WINDIR%\temp\ folder. To note, files starting with ~ could be seen as hidden on *NIX and many forensic toolsets.
  • Mutex under unique name of B7041BBE-2E0D-4337-A896-3CDA33A8A0F0.
  • Possibility of using weak SSL passphrase “0123456789abcdefghijklmnopqrstuvwxyz” on targeted payment system or evidence of traffic manipulation or redirection.
Metadata
Key Value
Name certsvc.exe
Tags anti_dbg, base64_table, domain, ip, contentis_base64, str_win32_winsock2_library, create_service, win_mutex, win_files_operation, microsoft_visual_cpp_80_dll, ispe64, isconsole, hasrichsignature, click2govscraper
Size 96768
Type PE32 executable (console) x86-64, for MS Windows
Mime application/x-dosexec
MD5 af1254ed7b3b1ed94dd497b42fe75255
SHA1 3affd9fa153e01c234af4c5fa2c79fee0ddb3100
SHA256 42845fdfdff7b4c3c1e2db2bc4a6564b12f72c63864eb61d31c0991667dad1c7
SHA512 5858bfd61e1191813a9517cd914885724082adddda309774f4920d3cb75013888ccd171aff44744f39b676a324ad7a879748bc07eaf77883da1e769b4b58792e
SSdeep 1536:AnAYh7qrEgW8BIi3RQcdSpTbXBYyIdH3TPloExaepZmYacYXo5:CSEgW0ec6TDBJUD9FHZmZcYXo5
CRC32 CE4D31E5
PE Compile Time 1564399816 (2019-07-29 11:30:16)
More attacker tooling: Click2govstomper

iDefense and CIFR identified another piece of attacker tooling as click2govstomper, which picks up files from click2govscraper and modifies the filesystem timestamps in an attempt to thwart analysis.

Malware capabilities

As shown below, click2govstomper enumerates the command line arguments and appears to look for more than three arguments. Digging into the code, it also appears that the malware is expecting a date in YYYY MM DD format as the arguments.

Figure shows that the malware is expecting a date in YYYY MM DD format as the arguments

Copyright © 2020 Accenture. All rights reserved.

The malware then crawls for files created after this YYYY MM DD date using the exact method described in the following MSDN Post to bypass “.” and directories among the list of files. The pseudo code for this logic:

Copyright © 2020 Accenture. All rights reserved.

The malware invokes sub_401D40 on all the enumerated files. To bypass basic forensic analysis and lower the suspicion of system admins, this function queries the three timestamps (aka MACB times) for each file. The term MACB times refers to the timestamps of the latest modification (mtime) or last written time, access (atime) or change (ctime) of a certain file. The click2govstomper utilizes timestomping[1] in an effort to thwart analysis. Timestomping is the technique of resetting the MACB timestamps to “blend in with the noise.” It is common for attackers to timestomp a file to the installation date of the endpoint, as there are often several thousand files being accessed and written during installation time. However, all these events are enumerated in Windows Event Manager and are potentially monitored through other third-party management and security agents.

Unlike the older click2govstomper of 2018, the new version doesn’t look for any hard-coded patterns inside the malware body. The malware tries to enumerate its findings inside a temporary file named temp.tmp in the same working directory as the original malware. The targeted logfiles are then replaced with temp.tmp file, which will be deleted upon completion of the logfile scraping.

Metadata
Key Value
Name rm.exe_
Tags seh_save, seh_init, anti_dbg, domain, contentis_base64, win_files_operation, vc8_microsoft_corporation, microsoft_visual_cpp_8, ispe32, isconsole, hasrichsignature
Size 169984
Type PE32 executable (console) Intel 80386, for MS Windows
Mime application/x-dosexec
MD5 336ed53ba85fb8c4d55ad0236dc6ad13
SHA1 178144d1367984388621960bc7858f8580c50b9f
SHA256 37a126e8c85d2754d4cf7231f657e4958eb8486b9e79c0d8c8b3fb74fa0542d5
SHA512

abbb2d4b7762ad3862a0f828aed26bbd259b9b00869a80ced48640f09ced9423cbf2924a248955a18d7b1cafead16ee4663b2367ac54b40cfd5e657caa231a79

SSdeep 3072:JQacX1e5jgU3wCntBQbmCWi7iPnVIyuz6kAA:JQaeagUAkfvKKul
CRC32 CE4D31E5
PE Compile Time 1564069101 (2019-07-25 15:38:21)

¹https://attack.mitre.org/techniques/T1099/

Related samples

iDefense identified a related sample, very similar to click2govscraper, with the following indicators of compromise:

  • Presence, creation, or deletion of cryptmgr Windows Service with the display name Cryptographic Manager. This fraudulent service is executed under NT AUTHORITY\SYSTEM authority.
  • Presence, creation, deletion, or access to of ~6055.dat file under %WINDIR%\\temp\\ folder. To note, files starting with ~ could be seen as hidden on *NIX and many forensic toolsets.
  • Mutex under unique name of 504BD852-A28C-409A-B440-DAC2338CFA61.
  • Possibility of using week SSL passphrase 0123456789abcdefghijklmnopqrstuvwxyz on targeted payment system or evidence of traffic manipulation or redirection.
Key Value
Name 83fdc636086a5fb611ff60180a77e0eb
Tags anti_dbg, base64_table, domain, ip, contentis_base64, str_win32_winsock2_library, create_service, win_mutex, win_files_operation, microsoft_visual_cpp_80_dll, ispe64, isconsole, hasrichsignature, click2govscraper
Size 96768
Type PE32+ executable (console) x86-64, for MS Windows
Mime application/x-dosexec
MD5 83fdc636086a5fb611ff60180a77e0eb
SHA1 6a8f3505c175478aeca0da63b443d91fdd5192f6
SHA256 145b751fb79a4e1f156fc7274822c316b1e35e858b6a85924bab414054468b3a
SHA512 68bd40f2366c171ec3f6a732017ba954f2d9a6191cc3e5fe40dbcc24b1605afbd0063b033c7bdf3a872b8ab06d5e6b0672382e152a6bbce9853de6233d668ac4
SSdeep 1536:OqwwhLqrEAm8BIi3RQcdSpTbXBYyIdH3TPloxxqOMpmYqcYX43:F6EAm0ec6TDBJUD9c6gRcYX
CRC32 C6FF7C78
PE Compile Time 1563954576 (2019-07-24 07:49:36)
YARA rules

        import "pe"

        rule click2govscraper {
           meta:
              description = "click2gov 2019 scraper"
              author = "Jeff Beley"
              date = "2019-10-02"
              hash1 = "42845fdfdff7b4c3c1e2db2bc4a6564b12f72c63864eb61d31c0991667dad1c7"
              hash2 = "145b751fb79a4e1f156fc7274822c316b1e35e858b6a85924bab414054468b3a"
           strings:
              $s1 = /\\temp\\~[0-9]{4}.dat/ fullword ascii
              $s2 = "POST /OnePoint/services/OnePointService" fullword ascii
              $s3 = "MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6" fullword ascii /* base64 encoded string '0123456789abcdefghijklmnopqrstuvwxyz' */
           condition:
              uint16(0) == 0x5a4d and filesize < 300KB and
              ( pe.imphash() == "3690100b83d39a6e0b0f67ad60c0264e" or all of them )
        }

        import "pe"

        rule click2govstomper {
           meta:
              description = "click2gov 2019 stomper"
              author = "Jeff Beley"
              date = "2019-10-02"
              hash1 = "37a126e8c85d2754d4cf7231f657e4958eb8486b9e79c0d8c8b3fb74fa0542d5"
           strings:
              $s1 = "temp.tmp" fullword ascii
              $s2 = "Content has been changed but changing file time has been failed." fullword ascii
              $s3 = "Can not rename temp file to original file. Trying to delete temp file. You should check the folder manually. " fullword ascii
              $s4 = "Failed to opening temp file." fullword ascii
              $s5 = "Could not open file %s, error %ul" fullword ascii
              $s6 = "GetFileTime failed.!" fullword ascii
              $s7 = "Can not remove file. Deleting logs failed." fullword ascii
              $s8 = "Could not open file to change time, error %ul" fullword ascii
              $s9 = "SetFileTime failed.!" fullword ascii
              $s10 = "Failed to opening $s" fullword ascii
              $s11 = "Cleaned the file %s" fullword ascii
              $s12 = "Can not find file. error = %d" fullword ascii
           condition:
              uint16(0) == 0x5a4d and filesize < 500KB and
              ( pe.imphash() == "3bafeb695a7a2c6801bb5c409fc89571" or 8 of them )
        }

Conclusion

While this campaign is known to have been impacted at least eight municipalities, the CIFR and iDefense teams were able to identify at least 1,800 additional municipalities that use Click2Gov. It should be noted that the malware tools are highly targeted to Click2Gov installations, showing a high degree of knowledge and skill by the attackers.

The included YARA rules provide a high confidence of the presence of the click2govstomper and click2govscraper, but a negative result is not proof positive of an unimpacted system as attackers often change their tactics, techniques and procedures.

If you suspect a breach of your Click2Gov installation, you can reach the CIFR and iDefense teams at 1-888-RISK-411 or CIFR.hotline@accenture.com.

 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved.

Alireza Salimi

Senior Security Principal – Lead Researcher and Chief Scientist


Jeff Beley

Security Innovation Principal

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog