MSRT April: Unskal, Saluchtra, Dexter and IeEnablerCby

This month we added four new malware families to the Malicious Software Removal Tool:  Win32/Saluchtra, Win32/Dexter, Win32/Unskal and Win32/IeEnablerCby, further protecting customers against malicious activity.

IeEnablerCby is an unwanted software family that can install browser add-ons or extensions without asking for your permission. The other three malware families also have similar information stealing capabilities, if a system is compromised. This blog will focus on Unskal, a point-of-sale (POS) malware. 

POS malware target retail companies in an attempt to steal customer payment details, such as credit card information. The stolen data can then be sold in underground markets. These threats can be deployed to a system by brute-forcing log in credentials on machines with weak passwords. They can also be installed by other malware, or by exploiting software vulnerabilities. 

Unskal is also known as Backoff, and was initially detailed in a US-CERT alert. Due to its targeted infection, we observed very low numbers in our telemetry for the past month. However, each infection can potentially have a high impact due to the exposure of sensitive information. Infections with this family are more common in the United States as shown in Figure 1.

Top countries for Unskal infections

Figure 1: The top 10 countries affected by Unskal
Once the malware is in the system, it can drop a copy of itself with any of the following names:

  • %APPDATA%media player classicmplayerc.exe
  • %APPDATA%oraclejavajavaw.exe
  • %APPDATA%adobeflashplayermswinhost.exe    
  • %APPDATA%adobeflashplayermswinsvc.exe
  • %APPDATA%navigatorwinmgmt.exe
  • %APPDATA%winservs.exe
  • <system folder><random characters>.exe, such as <system folder>ntwlsjrv.exe
  • %USERPROFILE%<random characters>.exe, such as %USERPROFILE%ntwlsjrv.exe

Persistence check

Unskal variants check for previously installed versions of the malware by searching for the following mutexes:

  • aMD6qt7lWb1N3TNBSe4N    
  • Undsa8301nskal

If a previous installation of the malware isn’t found Unskal creates an encrypted copy of itself as %AppData%settings.ini with read-only, hidden, and system file attributes, and then injects its code to explorer.exe. The following mutexes are created when the code is injected:

  • nuyhnJmkuTgD
  • uyhnJmkuTgD

The injected code monitors the main process. If the main process is terminated, it will decrypt its copy from settings.ini, create the file %APPDATA%winservs.exe, and then execute it.

Stealing user data

Unskal can gather information such as credit card details, computer names, and user names by using the keylogging and memory scraping techniques detailed below.

Memory scraping

POS malware are known to enumerate running processes – also known as memory scraping – to search for credit card information stored in a machine. Unskal variants use the same technique, but before doing so, will avoid the following processes running in memory by enumerating their matching hash:

  • 0BF1 – explorer    
  • 7C7E – chrome    
  • 3773 – firefox    
  • 0768 – iexplore    
  • 310A – svchost    
  • 0CC6 – smss    
  • 352E – csrss    
  • 3102 – wininit    
  • 0388 – devenv    
  • 0CED – winlogon    
  • 0364 – services    
  • 3F26 – lssas    
  • 3616 – spoolsv    
  • 3434 – alg    
  • 0884 – mscorsvw    
  • 0B9A – mysqld    
  • 72FD – wmiprvse    
  • 3D7D – LogonUI    
  • 07F1 – taskhost    
  • 3F85 – wuauclt    

It then finds patterns in running processes that are found in the magnetic stripe of credit cards, specifically Track 1 and Track 2, by checking certain separator/delimiter and characters found in the tracks.

Track 1 structure:

    | STX | FC |  PAN  |   Name   | FS |  Additional Data | ETX | LRC |
STX : Start sentinel "%"
FC : Format code "B" (The format described here. Format "A" is reserved for proprietary use.)
PAN : Primary Account Number, up to 19 digits
FS : Separator "^"
NM : Name, 2 to 26 characters (including separators, where appropriate, between surname, first name etc.)
FS : Separator "^"
ED : Expiration data, 4 digits or "^"
SC : Service code, 3 digits or "^"
DD : Discretionary data, balance of characters
ETX : End sentinel "?"
LRC : Longitudinal redundancy check, calculated according to ISO/IEC 7811-2
The maximum record length is 79 alphanumeric characters.
%B6011898748579348^DOE/ JOHN              ^37829821000123456789?
%B6011785948493759^DOE/JOHN L                ^^^0000000      00998000000?

Track 2 structure:

       | STX |  PAN  | FS |  Additional Data  | ETX | LRC |
STX : Start sentinel ";"
PAN : Primary Account Number, up to 19 digits, as defined in ISO/IEC 7812-1
FS : Separator "="
ED : Expiration date, YYMM or "=" if not present
SC : Service code, 3 digits or "=" if not present
DD : Discretionary data, balance of available digits
ETX : End sentinel "?"
LRC : Longitudinal redundancy check, calculated according to ISO/IEC 7811-2

The maximum record length is 40 numeric digits, for example 5095700000000.

The malware initially looks for the symbol "^" or "=", as seen in Figure 2. If it finds and equal sign (for Track 1), it proceeds to find the possible Primary Account Number (PAN). If it finds a caret (for Track 2), it first checks for a possible name. 

It checks for capital letters, spaces, and slashes, until a terminating caret is found as seen in Figure 3. It then proceeds to check for a possible PAN.
  Separator search
Figure 2:  Looking for separators "^" or "="    
  Checking for name
Figure 3: Checking for a possible name

Primary account numbers

The first digit of a 16-digit number format is either the number "4" or the number "5"  that is meant for banking and financial PAN as categorized by the Major Industry Identifier (MII).  The second digit of a 16-digit number format is the number "3" that is meant to target PANs for credit cards.
  PAN filter check
Figure 4: Checking PAN filter

To further validate if the PAN is a valid credit card number, it uses different methods of Luhn's algorithm to verify if this is indeed the case with code similar to the one below:
  Algorithm check
Figure 5:  Luhn's algorithm check

Sending stolen data

Once it has verified that the data taken is valid, the malware sends it to a remote malicious user via port 443. We have seen it use the following command and control (C&C) servers:


The format of the base-64 encoded information can be similar to the following URLs:

  • &oprat=1&uid=<unique id>&uinfo=<system information>&win=<OS version>&grup=<malware version
    name>&vers=<malware version>&data=<encrypted stolen PANs>
  • &oprat=2&uid=<unique id>&uinfo=<system information>&win=<OS version>&vers=<malware version>&data=<encrypted stolen PANs>

To help prevent malware intrusions from threats such as Unskal, Dexter and Saluchtra, we recommend users and network administrators have strong firewall policies in place. They should also enforce complex passwords and regular password changes. To help prevent the installation of unwanted software such as IeEnablerCby, you should exercise caution when clicking on links to webpages.

We also recommend updating your software regularly and running up-to-date security software, such as Microsoft Security Essentials or another trusted security software product.
Marianne Mallen and James Dee

Microsoft Malware Protection Center
Secure Hunter Anti -Malware

You may also like...

Popular Posts