In June 2016, we published a blog about a phishing campaign targeting the
Apple IDs and passwords of Chinese Apple users that emerged in the
first quarter of 2016 (referred to as the “Zycode” phishing campaign).
At FireEye Labs we have an automated system designed to proactively
detect newly registered malicious domains and this system had observed
some phishing domains that were designed to appear as legitimate Apple
domains. Most of the domains reported by this system were suspended in
June 2016, which resulted in a loss of momentum for the Zycode
phishing campaign. Throughout the second quarter of 2016, the Zycode
phishing campaign was in hibernation.
We recently observed a resurgence of the same phishing campaign when
our systems detected roughly 90 phony Apple-like domains that were
registered from July 2016 to September 2016. Once again, Chinese Apple
users are being targeted for their Apple IDs and passwords using the
same content reported on in our earlier blog. The majority of these
domains are registered in the .com TLD by email accounts from
qq[.]com, and the IPs of these domains point to mainland China, as
seen in Figure 1.
Figure 1: Google map showing the location of the
hosted phishing domains
The attackers have not changed the content of the phishing sites.
being used here in this campaign. We have provided the details of
Apparently the domains and email addresses used in previous version
of the campaign were effectively taken down. Now the attackers have
moved to a new malicious infrastructure; new domains, IPs and email
addresses are being used for this campaign. The new domain names for
the campaign are listed in Table 1, while their IPs and registrant
emails are reported in Table 2 and Table 3, respectively.
Table 1: Apple phishing domains serving the
Zycode phishing kit.
Table 2 shows the list of unique IPs, which are not the same as what
was seen before.
Table 2. IP addresses used by the domains.
The email addresses used to register these domains, showing no
similarity with email addresses in the previous campaign, are shown in
Table 3. List of unique registrant emails.
Table 4 shows the registrant names, which have no similarity with
the previous registrant name information.
Table 4. List of registrant names used by the
Brazil has been designated a major hub for financially motivated
eCrime threat activity. Brazilian threat actors are targeting domestic
and foreign entities and individuals, with frequent targeting of U.S.
assets. The country routinely places in “Top Five” lists of
various global cyber crime rankings, and multiple sources claim that
financially motivated threat activity in the country has increased
within the past few years.
In this blog we provide insight into the tactics, techniques and
procedures (TTPs) of a Brazilian cyber crime group that specializes in
payment card fraud operations. The threat actors, observed by FireEye
Labs, use a variety of different methods to either compromise or
acquire already compromised payment card credentials, including
sharing or purchasing dumps online, hacking vulnerable merchant
websites and compromising payment card processing devices. Once in
their possession, the actors use these compromised payment card
credentials to generate further card information. The main methods
used by the observed group to launder and monetize illicit funds
include online purchases of various goods and services as well as ATM withdrawals.
Based on extensive observation of this group’s activity, we are able
to characterize their operations lifecycle starting with the initial
operational setup; followed by the methods used to compromise
credentials or, conversely, purchase already compromised credentials;
then the process of generating new cards for subsequent abuse, which
includes validation and cloning; and finally the subsequent
monetization strategies. Figure 1 depicts this operation workflow.
Figure 1: Brazilian carding operation workflow
We observed this group taking several preparatory measures to
The members of the group use a variety of tools, including CCleaner,
on a daily basis to effectively remove any evidence of their
operations. This includes browsing history, temporary files,
Clipboard, typed URLs, cookies, recently opened documents, and
conversations via Skype, Windows Messenger, etc. This almost certainly
limits the potential amount of evidence that law enforcement could
obtain and use against the suspects in the case of an arrest or
Another common step taken by threat actors is changing their
system’s MAC Address to avoid being uniquely identified. For this
purpose, these actors often use tools such as Technitium MAC Address Changer.
We have observed these actors using Tor or proxy-based tools similar
to Tor (e.g., UltraSurf, as seen in Figure 2). We have also observed
them using virtual private network services that use IPs based in
numerous countries to ensure anonymity and obfuscate criminal operations.
Figure 2: Ultra Surf 12.10
Additionally, many actors conduct transactions using virtual
currencies, most prominently Bitcoin, to anonymize criminal
transactions. Due to the comparative anonymity and lack of government
oversight often associated with the use of virtual currencies, virtual
currency is of significant value for actors involved in illicit
operations when they are performing transactions among themselves.
Based on our observations, this group uses a variety of different
methods to either compromise or acquire already compromised payment
Payment card “dumps” are commonly shared amongst Brazilian
threat actors via social media forums such as Facebook, Skype, and
web-based WhatsApp messenger. These social media circles are highly
prevalent amongst these regional actors and are often the preferred
method of communication. This group takes advantage of those
communities to obtain stolen data from peers. Similarly, the group
takes advantage of freely available consolidations of email
credentials, personal information, and other data shared in eCrime
forums for fraud purposes.
The group systematically purchases payment card data via different
online shops. These shops include “Toy Store,” “Joker’s
Stash,” and “Cvv2finder.” The venues, called “dump
shops,” allow customers to use a web-based platform to sort
through thousands or millions of individual pieces of card data and
purchase as much or as little as they want. The shops provide
customers with filters to select the individual pieces of card data
they wish to purchase and add to their carts for checkout, similar to
legitimate sites. The same types of shops also allow malicious actors
to steal credentials stolen from other services such as email
providers, online bill payment websites, entertainment services, or
travel booking websites.
These actors scan websites for vulnerabilities to exploit to
illicitly access databases. They most commonly target Brazilian
merchants, though others use the same tactics to exploit entities
outside Brazil. One simple method the group uses is Google Dorks,
advanced Google searches used to identify security loopholes on
Google-indexed websites. An example is shown in Figure 3.
Figure 3: Example of Portuguese-language Google
Dork used in exploitation
The group also uses the SQL injection (SQLi) tools “Havij
Advanced SQL Injection Tool” and “SQLi Dumper version
7.0” (Figure 4) to scan for and exploit vulnerabilities in
targeted eCommerce sites. Of note, these tools can dump whole
databases from targeted victims.
Figure 4: SQLi Dumper v7.0
This group has also shown interest in modifying point-of-sale (POS)
terminals to harvest magnetic stripe and EMV chip data.
FireEye Labs identified “Toy Store” as one of the card
shops frequently used by the group. It appears that this card shop has
operated since November 2015. Despite the fact that the website has
been taken down multiple times (most recently in July 2016), it keeps
operating, sometimes with newly registered domains.
The store offers a large amount of dumps from multiple sellers. The
sold credentials are associated with payment cards of various types,
issued by variety of financial institutions from multiple countries.
At least eight sellers update the website as frequently as daily,
offering newly obtained databases from the U.S.
Examination of dumps uploaded between May 2016 and July 2016
revealed that one vendor uploaded 1,900 credit cards issued by
Brazilian banks. Further examination shows sellers uploading dumps
regularly from the same locations. In Table 1, seller “X”
uploaded the listed data during the first two weeks of August 2016.
Table 1: Data advertised by one “Toy
This seller uploads dumps exclusively from either Texas or Florida.
Some base names they provide even contain the word “POS,”
with a validity rate of 90 percent. This suggests that ATM skimming
devices or malware are probably installed in these locations.
The shop allows users to make bulk purchases for any U.S. state,
ranging from packages of 30 to 500 units with prices ranging from $250
to $1,000 per bulk.
Registration is free and the only payment method accepted is
Bitcoin. A unique Bitcoin payment address is generated per user.
Finally, the website has checker functionality – charging $0.50 per
check – that allows users to quickly check for credit card validity
and ask for a refund if a purchased card is not valid (Figure 5).
Figure 5: Toy Store shop site
Once in possession of compromised payment card credentials, these
actors use tools commonly known as “card generators” to
generate new card numbers based on the compromised ones, creating
additional opportunities for monetization. These tools require as
input a valid 16-digit credit card number, expiration date, and a file
name to store the new cards generated. Examples of such tools commonly
used by Brazilian carders include “WZP” (Figure 6) and
“Gerador CC” (Figure 7).
Figure 6: “WZP” card generator
Figure 7: “Gerador CC” card generator
“Gerador CC” generates credit card numbers based on the
Bank Identifier Number (BIN), with a fixed expiration date and CVV
equal to 000. Typically, 1,000 cards will be generated per round. Then
threat actors use public websites set up to check if the credit card
number is valid. However, the fact that the card number generated is
valid does not necessarily mean the card can be used for real
purchases at any website. This method of generating card data cannot
determine what validation information (e.g., expiration date) or
personal information should be associated with the card numbers. So,
to make purchases with the data, actors have to find websites with
vulnerable authentication systems.
After stealing, buying, or generating card data, the group validates
it through multiple tools and services available in underground communities.
Vulnerable merchant websites – websites that accept payments with
generated or compromised payment cards – are identified and used
regularly by carders. For example, in March 2016, we observed an
advertisement in an underground community for a list that contained
the addresses of 10,000 vulnerable merchant websites. Criminals take
advantage of these sites to not only make purchases, but also to
bulk-check card data for usability.
One bulk card-checking tool this group uses is “Testador
Amazon.com v1.1” (Figure 8). Despite its name, this tool does not
use Amazon’s website, but exploits an unauthenticated Cross-Site
Request Forgery (CSRF) vulnerability of a merchant website allowing
the abuse of PayPal Payflow link functionality (Figure 9).
Figure 8: Testador Amazon v1.1 GUI
Figure 9: PayPal Payflow Link page
A Payflow Link is a PayPal-hosted payment solution that allows
merchant websites to securely connect their customers to PayPal’s
secure server and use it to automate order acceptance, authorization,
processing, and transaction management, making it useful for carders
to check the validity of credit card numbers. Payflow links cannot be
accessed directly, but only from trusted and authenticated merchants.
“Testador Amazon” abuses legitimate merchant sites to submit
unauthenticated valid orders, providing access to a legacy PayPal
Payflow Link. At this point, actors can test the generated credit card
numbers by filling the input field of the form automatically via the
tool. This tool then continues submitting thousands of valid orders,
simultaneously checking for the validity of the next credit card
number in the list.
The actors use a dedicated IRC channel provided by the eCrime
community service “ChkNet” (Figure 10) to validate credit
cards. Based on our observations of interactions in this channel,
between May 2016 and June 2016, malicious actors validated 2,987 cards
from 62 countries, with the most coming from the U.S. (nearly half),
Brazil, and France. The actors in the channel share instructions on
validation and advice on maintaining anonymity during these
operations. The channel is accessible without registration; however,
actors interested in using the IRC bot to verify the validity of
credit cards are charged 0.003 BTC ($1.88 USD).
Figure 10: ChkNet IRC service activation
Another validation method involves using online charity donations.
ChkNet also provides an API and a software tool named “Checker” that
leverages charity websites for this purpose. This type of exploitation
of charities is popular in the Brazilian eCrime community. Figure 11
shows a credit card tested by Checker. The Status “Live” means the
card was successfully used during an online payment transaction.
Figure 11: Checker credit card validation result
We observed this group using multiple tactics to monetize the card
data it steals and generates.
The actors frequently use the stolen data to create cloned physical
cards, which they use to attempt to withdraw funds from ATMs. The
group has performed these activities at multiple locations across
Brazil, possibly using multiple mules. The group primarily uses the
MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards.
Figure 12: MSR606 software
Figure 13: MSR606 Magnetic Stripe card reader/writer
Additionally, we observed the group exploiting popular eCommerce
sites to perform fraudulent transactions. This monetization tactic
requires the group to constantly refine its tactics to deal with
measures put in place to validate that card and cardholder data is
legitimate and other anti-fraud checks. Carders in the community with
whom this group interacts regularly share recommendations based on
this experience, such as using virtual private networks, limiting the
number of items purchased at a time, and cleaning machines used to
make purchases of any profiling information such as cookies.
Whether this group uses any further means to launder the proceeds
from these activities is unclear. However, Brazilian actors commonly
use several methods to do so, such as reselling cards they have
created, paying bills with stolen cards in return for a portion of the
bill’s value and reselling illicitly obtained goods.
Payment card fraud has been extremely profitable for malicious
actors for years. Given its profitability and actors’ investment in
this type of fraud, we see no indication of actors moving away from
this type of activity for the foreseeable future. As security measures
continue to evolve to counter this area of fraud, we will likely see
actors attempting to devise new schemes to maintain the profits they
are obtaining and continue capitalizing on their investments in this area.
This material was originally posted to the FireEye iSIGHT
Intelligence MySIGHT Portal on Oct. 7, 2016. The FireEye iSIGHT
Intelligence MySIGHT Portal contains additional information based on
our investigations of a variety of topics discussed in this post,
including Joker’s Stash, ChkNet, virtual currencies, and
point-of-sale systems. Click
for more information.
Throughout the past few months, FireEye Labs has observed an
increased use of Windows Management Instrumentation (WMI) queries for
environment detection and evasion of dynamic analysis and
virtualization engines. WMI provides high-level interaction with
Windows objects using C/C++, VBScript, JScript, C#, and more in the
form of WMI Query Language (WQL). Last year, FireEye published a white
paper detailing an in-depth analysis of WMI infrastructure and
potential abuse of WMI services by malware writers.
In this post we will present an analysis of some samples found in
the wild in 2016. For the purposes of this blog post, we will focus on
evasion only, ignoring other malicious aspects of the samples.
Anti-virus can be detected by a WMI query as they are registered in
AntiVirusProduct class under
root\SecurityCenter2 (root\SecurityCenter before Vista)
namespace. We analyzed a sample that checked the operating system from
Win32_OperatingSystem class under
root\cimv2 namespace first and if the OS version was
above 6 (Windows Vista and above), then anti-virus check was
performed. Figure 1 shows the VBScript code of anti-virus check.
Figure 1: Anti-virus product checks in VBScript
code using WMI query
Anti-virus and other user information is sent to the server for
fetching the right payload or performing evasion, as shown in Figure 2.
Figure 2: Anti-virus and other info being sent
to the server and actions against response
One of the samples was found to monitor many security products using
different techniques, but most popular virtualization software (such
as VMware and VirtualBox) were being detected using WMI queries. It
retrieves BIOS information from
Win32_BIOS class under
root\cimv2 namespace. Specific fields/columns can also be
retrieved similar to an SQL query. The following queries were found in
this sample binary (Figure 3).
Figure 3: Virtualization software checks by the
malware using WMI queries
The query yields the following result when executed in PowerShell in
Bochs Emulator, as shown in Figure 4.
Figure 4: Query result in PowerShell in Bochs Emulator
Figure 5 shows the full scale environment detection being performed
by this sample. Other services may be checked by enumerating the
running processes or using Windows Registry.
Figure 5: Security products being monitored by
Another sample used
Win32_ComputerSystem class for virtual machines
detection, as show in Figure 6.
Figure 6: ComputerSystem WMI query found in the sample
The result of the query (Figure 9) has ’Model’ field (Figure 7),
which holds the virtual machine information in case of VMware,
VirtualBox and Virtual Machine.
Figure 7: Model column retrieval
When any of the three strings matched with ‘Model’ field
output, virtualization gets detected by matching the stored value with
the one created in the process, as evident in Figure 8.
Figure 8: VirtualBox, VMware and Virtual Machine checks
When the aforementioned query was executed in PowerShell in VMware
workstation 12.0, it gave the result illustrated in Figure 9.
Figure 9: Query result in PowerShell 2.0
Another sample has used Win32_DiskDrive to detect Virtual Box
(Figure 10), Virtual Hard disk (Figure 11) and VMware (Figure 12).
When any of the virtual machines get detected, the process terminates
itself, evading the behavioral analysis.
Figure 10: VirtualBox detection
Figure 11: Virtual Hard disk detection
Figure 12: VMware detection
We analyzed a sample that not only checked a specific process from
Win32_Process class under namespace
root\cimv2, but also killed it. Immunity debugger, a
well-known debugger, is terminated and its folder is deleted after
changing permissions using Windows Script Host shell, as evident in
the code in Figure 13.
Figure 13: Immunity debugger being terminated
and folder being deleted
Moreover, anti-virus vendor Kingsoft Corporation’s processes are
also forced to stop execution, meaning its anti-virus processes are
being killed. The code is shown in Figure 14. Usually samples use
CreateToolHelp32Snapshot, Process32First and Process32Next APIs for
finding a process, but here it is evident that
one WMI query comes in handy to replace tens of lines of code.
Figure 14: Code designed to kill processes
associated with Kingsoft (an anti-virus product company)
Another sample, an MS Office key generator, checked Windows Office
Software Protection Service through WMI queries (Figure 15). This
service enables software vendors to enforce secure
licensing on the client machines. If this service is not running,
it is started as shown in Figure 16. Once the Office Software
Protection Service object is retrieved, it is then used to install MS
Office product key.
Figure 15: OfficeSoftwareProtectionService check
using WMI query
Figure 16: Code to start/restart OfficeSoftwareProtectionService
During analysis and research, it has been observed that WMI queries,
shown in Figure 17, can be used for environment detection and (with
more details) for evasion as well. There may be more queries that are
not listed here, but we suggest security researchers should at least
monitor these queries for evaluating the samples.
Figure 17: Possible WMI queries for environment detection/evasion
Malware writers are always in search of new ways to evade analysis
frameworks and sandboxes in order to make the payload execution
successful in their targeted environments and platforms. WMI provides
a simple way of environment detection that can be used to evade
sandboxes and dynamic analysis tools, which seems to be underestimated
by reverse engineers and others in the security community. Mitigation
Steps should be taken to monitor WMI queries that could lead to
We would like to thank Matthew Dunwoody for his valuable input.
Moreover, we are also grateful to Muhammad Umer Khan and Imran Khan
for their continuous support in providing relevant sample sets and