New Click2Gov Threat: Sophisticated, Sneaky and Dangerous

Remember the 2017 and 2018 Click2Gov breaches that compromised 300,000 payment cards?  Not surprisingly, hackers are at it again. Accenture teams have discovered a new set of tools remote attackers can use to collect credit card information from Click2Gov installations.

Thanks to some clever investigative work by our people in Security Cyber Investigation and Forensics Response (CIFR) and Cyber Threat Intelligence (iDefense), we were able to reverse-engineer the attackers’ tools and identify them as click2govstomper and click2govscraper. Then, working collaboratively, CIFR and iDefense determined that this unknown threat actor group may be actively targeting as many as 1,800 municipalities running Click2Gov software.

The attacker’s tools seem to have been designed to capture credit card data input by users of the Click2Gov software (click2govscraper) and store the captured data for collection by click2govstomper.

Within the attacker’s customized tooling, CIFR and iDefense noted the MITRE ATT&CK tactics listed below.

The click2govscraper (T1059, T1020, T1145, T1074) attacker tool enables a debugging interface built into the Click2Gov software to capture the data to a temporary file in the system temporary directory and runs as a Windows service to maintain persistence on the impacted device (T1050). Click2govstomper collects the output from click2govscraper and writes it to files in a web-accessible directory as a Base64-encoded blob with a false PNG file extension (T1020, T0174). The file is written with a modified timestamp (T1099) in order to thwart investigations. Upon access to the false PNG (T1048) file, click2govstomper then overwrites the PNG file with new data.

Click2govscraper forcing debugs

The CIFR and iDefense teams were also able to show that click2govscraper can be used by the remote attackers to force a debug condition in the Click2Gov platform.

Malware capabilities

Click2govscraper accepts a command line argument “I,” which invokes sub_1400027D0 for creating a new service, certsvc, with the display name “Certificate Policy Service.”

The figure below shows presence of a service under NT AUTHORITY\SYSTEM created by click2govscraper.

Copyright © 2020 Accenture. All rights reserved.

Copyright © 2020 Accenture. All rights reserved.

click2govscraper also accepts an argument “u” that invokes sub_1400028F0, which then terminates and deletes the certsvc. Below is the pseudo code of sub_1400028F0.

Copyright © 2020 Accenture. All rights reserved.

Upon proper installation, and if the fraudulent service certsvc is already running, the malware calls WSAStartup function by specifying version 2.2, which later initiates use of the Winsock DLL by a certsvc process.

The malware queries GetWindowsDirectoryA to determine Windows directory and checks for the presence of the following file: %WINDIR%\temp\~0930.dat To ensure that only one instance of the malware is running, the malware creates a Mutex under the unique name of B7041BBE-2E0D-4337-A896-3CDA33A8A0F0.

The malware then starts a socket listener by invoking sub_140001C90, inspects TCP traffic of port 8000 (0x1F40), and continues to save the captured packets until the buffer size reaches 102399 (0x18FFF) bytes or the stream contains POST /OnePoint/services/OnePointService. The malware then searches for the following tags inside the saved buffer:

<soapenv:Body>
</soapenv:Body>

Next, the malware checks if the size of the content between the two tags is smaller than 10239 (0x27FF) bytes and invokes sub_140001000 on the captured content. The sub_140001000 performs a standard Base64 encoding, and the malware writes the Base64 encoding into a file identified as %WINDIR%\\temp~0930.dat.

Copyright © 2020 Accenture. All rights reserved

The malware also executes a similar socket listener by invoking sub_140001B30, which listens to local host (127.0.0.1) traffic. This action allows the malware to capture internal communications between different components of a targeted payment system. The pseudo code of sub_140001B30 is shown below.

Copyright © 2020 Accenture. All rights reserved

The malware now calls sub_140001C90 to inspect the TCP traffic on port 443 (0x1BB).

Copyright © 2020 Accenture. All rights reserved

The highlighted Base64-encoded string MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6 in its decoded form is 0123456789abcdefghijklmnopqrstuvwxyz — a common passphrase for an encrypted private SSL key. It appears that the targeted payment system is either using a very weak passphrase or the malware is manipulating the encrypted traffic. The malware is not using any known privilege escalation methods and according to embedded Manifest information, it just uses the (security) execution level of the caller. Additionally, the malware does not have lateral movement functionality by itself.

Indicators of compromise

CIFR and iDefense’s analysis surfaced the following indicators of compromise associated with a current campaign that may be present within compromised Click2Gov installations:

• Presence, creation or deletion of certsvc Windows Service with the display name Certificate Policy Service. This fraudulent service is executed under NT AUTHORITY\SYSTEM authority.
• Presence, creation, deletion or access to of ~0930.dat file under %WINDIR%\temp\ folder. To note, files starting with ~ could be seen as hidden on *NIX and many forensic toolsets.
• Mutex under unique name of B7041BBE-2E0D-4337-A896-3CDA33A8A0F0.
• Possibility of using weak SSL passphrase “0123456789abcdefghijklmnopqrstuvwxyz” on targeted payment system or evidence of traffic manipulation or redirection.

Metadata

More attacker tooling: Click2govstomper

iDefense and CIFR identified another piece of attacker tooling as click2govstomper, which picks up files from click2govscraper and modifies the filesystem timestamps in an attempt to thwart analysis.

Malware capabilities

As shown below, click2govstomper enumerates the command line arguments and appears to look for more than three arguments. Digging into the code, it also appears that the malware is expecting a date in YYYY MM DD format as the arguments.

Copyright © 2020 Accenture. All rights reserved.

The malware then crawls for files created after this YYYY MM DD date using the exact method described in the following MSDN Post to bypass “.” and directories among the list of files. The pseudo code for this logic:

Copyright © 2020 Accenture. All rights reserved.

The malware invokes sub_401D40 on all the enumerated files. To bypass basic forensic analysis and lower the suspicion of system admins, this function queries the three timestamps (aka MACB times) for each file. The term MACB times refers to the timestamps of the latest modification (mtime) or last written time, access (atime) or change (ctime) of a certain file. The click2govstomper utilizes timestomping[1] in an effort to thwart analysis. Timestomping is the technique of resetting the MACB timestamps to “blend in with the noise.” It is common for attackers to timestomp a file to the installation date of the endpoint, as there are often several thousand files being accessed and written during installation time. However, all these events are enumerated in Windows Event Manager and are potentially monitored through other third-party management and security agents.

Unlike the older click2govstomper of 2018, the new version doesn’t look for any hard-coded patterns inside the malware body. The malware tries to enumerate its findings inside a temporary file named temp.tmp in the same working directory as the original malware. The targeted logfiles are then replaced with temp.tmp file, which will be deleted upon completion of the logfile scraping.

Metadata

¹https://attack.mitre.org/techniques/T1099/

Related samples

iDefense identified a related sample, very similar to click2govscraper, with the following indicators of compromise:

• Presence, creation, or deletion of cryptmgr Windows Service with the display name Cryptographic Manager. This fraudulent service is executed under NT AUTHORITY\SYSTEM authority.
• Presence, creation, deletion, or access to of ~6055.dat file under %WINDIR%\\temp\\ folder. To note, files starting with ~ could be seen as hidden on *NIX and many forensic toolsets.
• Mutex under unique name of 504BD852-A28C-409A-B440-DAC2338CFA61.
• Possibility of using week SSL passphrase 0123456789abcdefghijklmnopqrstuvwxyz on targeted payment system or evidence of traffic manipulation or redirection.

YARA rules

        import "pe"

        rule click2govscraper {
           meta:
              description = "click2gov 2019 scraper"
              author = "Jeff Beley"
              date = "2019-10-02"
              hash1 = "42845fdfdff7b4c3c1e2db2bc4a6564b12f72c63864eb61d31c0991667dad1c7"
              hash2 = "145b751fb79a4e1f156fc7274822c316b1e35e858b6a85924bab414054468b3a"
           strings:
              $s1 = /\\temp\\~[0-9]{4}.dat/ fullword ascii
              $s2 = "POST /OnePoint/services/OnePointService" fullword ascii
              $s3 = "MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6" fullword ascii /* base64 encoded string '0123456789abcdefghijklmnopqrstuvwxyz' */
           condition:
              uint16(0) == 0x5a4d and filesize < 300KB and
              ( pe.imphash() == "3690100b83d39a6e0b0f67ad60c0264e" or all of them )
        }

        import "pe"

        rule click2govstomper {
           meta:
              description = "click2gov 2019 stomper"
              author = "Jeff Beley"
              date = "2019-10-02"
              hash1 = "37a126e8c85d2754d4cf7231f657e4958eb8486b9e79c0d8c8b3fb74fa0542d5"
           strings:
              $s1 = "temp.tmp" fullword ascii
              $s2 = "Content has been changed but changing file time has been failed." fullword ascii
              $s3 = "Can not rename temp file to original file. Trying to delete temp file. You should check the folder manually. " fullword ascii
              $s4 = "Failed to opening temp file." fullword ascii
              $s5 = "Could not open file %s, error %ul" fullword ascii
              $s6 = "GetFileTime failed.!" fullword ascii
              $s7 = "Can not remove file. Deleting logs failed." fullword ascii
              $s8 = "Could not open file to change time, error %ul" fullword ascii
              $s9 = "SetFileTime failed.!" fullword ascii
              $s10 = "Failed to opening $s" fullword ascii
              $s11 = "Cleaned the file %s" fullword ascii
              $s12 = "Can not find file. error = %d" fullword ascii
           condition:
              uint16(0) == 0x5a4d and filesize < 500KB and
              ( pe.imphash() == "3bafeb695a7a2c6801bb5c409fc89571" or 8 of them )
        }

Conclusion

While this campaign is known to have been impacted at least eight municipalities, the CIFR and iDefense teams were able to identify at least 1,800 additional municipalities that use Click2Gov. It should be noted that the malware tools are highly targeted to Click2Gov installations, showing a high degree of knowledge and skill by the attackers.

The included YARA rules provide a high confidence of the presence of the click2govstomper and click2govscraper, but a negative result is not proof positive of an unimpacted system as attackers often change their tactics, techniques and procedures.

If you suspect a breach of your Click2Gov installation, you can reach the CIFR and iDefense teams at 1-888-RISK-411 or CIFR.hotline@accenture.com.

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved.