Threat behavior
Win32/Ligsetrac is a family of trojans that targets ATM (Automatic Teller Machine) systems in order to steal sensitive information. This malware consists of several components and has been reported from the wild affecting ATMs in Eastern Europe.
Installation - component 1
Note: This malware can only be installed by an attacker with physical access to the targeted ATM and the appropriate privileges or tokens.
The initial malware component is installed via a dropper component. When executed, the dropper component drops the file %windir%\lsass.exe and creates the service 'Lsass.exe'. It injects code into the following services:
Payload
Steals sensitive data
The trojan then attempts to intercept information using internal system APIs and writes captured data
to the following files:
Installation - component 2
A second component observed in the wild performed a different set of actions. This second component may be an update installed at a later stage. It copies/renames the following files:
- %windir%\trl2 to %windir%\redstone.bmp
- %windir%\kl to %windir%\bluestone.bmp
Note: On NTFS file systems the files are stored in an alternate data stream.
It also looks for and terminates the process "lsass.exe", and deletes the file %windir%\lsass.exe.
This second update component looks for a particular service and an associated file (pwrstr.dll) which it saves to '.bak' and then replaces the DLL with its own copy.
The new DLL injects code into the following processes:
Payload
Steals sensitive data
The DLL then attempts to intercept information that would normally be handled by pwrstr.dll and writes relevant data to the following files:
- redstone.bmp
- bluestone.bmp
Backdoor functionality
The trojan calls a system message API and checks for certain values. If found, the trojan displays the following:
Enter command:
Agent
and waits for input commands. The trojan may be instructed to attempt to perform the following actions:
- Display version information, including trojan version and host version information
- Display stats on stolen information
- Replace ATM software log files
- Upload an executable via memory card
- Display information on the screen
- Print out information using the receipt printer
- Save information to memory card
- Dispense "Cassette"
- Uninstall itself
Analysis by Ray Roberts
Prevention
