Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.

Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Wed Jul 11, 2012 7:12 pm

Image
Malware who target Point-of-Sale devices.

Available samples
Dexter, aka Infostealer.Dexter (Symantec):
Samples from VISA (warning: some files are legit):
vSkimmer, aka Infostealer.Vskim (Symantec):
rdasrv, aka Win32/Spy.POSCardStealer.A (ESET):
Win32/Spy.POSCardStealer.B (ESET):
mmon, aka Win32/Spy.POSCardStealer.C (ESET):
Alina, aka Win32/Spy.POSCardStealer.D (ESET):
Win32/Spy.POSCardStealer.E (ESET):
Alina, aka Win32/Spy.POSCardStealer.F (ESET):
Petroleum, aka Win32/Spy.POSCardStealer.G (ESET):
Petroleum, aka Win32/Spy.POSCardStealer.H (ESET):
Alina, aka Win32/Spy.POSCardStealer.I (ESET):
Alina, aka Win32/Spy.POSCardStealer.J (ESET):
Card Recon, aka Win32:CardScan-A [PUP] (Avast):
vSkimmer, aka Win32/Spy.POSCardStealer.K (ESET):
Win32/Spy.POSCardStealer.L (ESET):
Win32/Spy.POSCardStealer.M (ESET):
Ree4 Dump Memory Grabber/BlackPOS aka Win32/Spy.POSCardStealer.N (ESET) and Pocardler.A:
Alina aka Win32/Alinaos.A (Microsoft):
ProjectHook aka Troj.Trackr-F:
Win32/Spy.POSCardStealer.O (ESET):
Alina aka Win32/Alinaos.B (ESET):
ProjectHook mod aka Win32/Spy.POSCardStealer.P (ESET):
ChewBacca aka Troj/Trackr-Z (Sophos):
Win32/Spy.POSCardStealer.R (ESET):
JackPos aka Infostealer.Jackpos (Symantec):
Decebal aka Trojan.VBS.POSStealer.A (F-Secure):
Decebal aka Win32/Spy.POSCardStealer.U (ESET):
Fucked-up detections (POS Malwares but no AV recognise it as what it should be):
Soraya/Karbus aka Trojan.Yorasa (Symantec):
LogPOS aka Trojan.LogPOS (Malwarebytes):
Backoff aka Win32:BackoffPOS-A [Trj] (Avast):
BrutPOS aka W32/BrutPOS (Fortinet):
NitlovePOS:
AbaddonPOS:
CenterPOS:
TreasureHunt / TreasureHunter:
How to trig samples
Fake Track1, Track2 to trigg ram scrapper:
%B4111111111111111^KERNEL/MODE.INFO^2201101200567000000000404000000?
;4111111111111111=22011012005674040000?

Ressources
Visa Data Security Alerts Bulletins: http://usa.visa.com/merchants/risk_mana ... l#anchor_2
Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html - http://blog.seculert.com/2012/12/dexter ... nt-of.html
Alina: http://blog.spiderlabs.com/2013/05/alin ... art-1.html - http://www.xylibox.com/2013/06/whos-behind-alina.html
mmon: http://www.xylibox.com/2012/03/pos-carding.html
rdasrv: http://nakedsecurity.sophos.com/2011/11 ... titutions/
Win32/Spy.POSCardStealer.B: http://www.xylibox.com/2012/12/point-of ... ppers.html
ProjectHook: http://www.xylibox.com/2013/05/projecth ... apper.html
Petroleum: http://aassfxxx.infos.st/article21/pos- ... m-scrapper - http://www.xylibox.com/2013/02/petroleu ... lware.html
BlackPOS: http://www.xylibox.com/2013/05/dump-mem ... ckpos.html - http://www.group-ib.com/index.php/o-kom ... cle&id=716
VSkimmer: http://www.xylibox.com/2013/01/vskimmer.html - http://blogs.mcafee.com/mcafee-labs/vsk ... -terminals
CardScan-A: http://www.xylibox.com/2013/02/youre-va ... arder.html
Inside a malware campaign: Alina + Dexter + Citadel: http://www.xylibox.com/2013/10/inside-m ... exter.html
Win32/Spy.POSCardStealer.O: http://www.xylibox.com/2013/12/win32spy ... n-pos.html

In attach: Troj/Trackr-Gen (http://nakedsecurity.sophos.com/2011/11 ... titutions/):
18/42 - 28/42 - 25/42 - 19/40 - 33/42
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed Jul 11, 2012 8:13 pm, edited 2 times in total.
User avatar
Xylitol
Global Moderator
 
Posts: 1618
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Troj/Trackr-Gen

Postby Xylitol » Wed Jul 11, 2012 8:04 pm

Various Malicious/Suspicious files (i got hashs from here: http://www.firstdata.com/downloads/part ... upport.pdf)

rdasrv.exe.ViR: 20/41 (Troj/Trackr-A)
compenum.exe.ViR: 0/41
compenum2.exe.ViR: 0/42
dnsmgr.exe.ViR: 9/42
dnsmgr2.exe.ViR: 11/41
far.exe.ViR: 0/42
far2.exe.ViR: 0/42
install.bat.ViR: 0/42
lanst.exe.ViR: 8/42
lanst2.exe.ViR: 0/40
RamDDumper.exe.ViR: 0/41
mdirmon.exe.ViR: 2/42
netshares.exe.ViR: 10/42
parser.exe.ViR: 0/42
psexec.exe.ViR: 1/42 (not malicious)
shareenum.exe.ViR: 0/42
WinMgmt.exe.ViR: 17/42 (Mal/Servus-A)
POS_1.zip

POS_2.zip

--
http://www.xylibox.com/2012/03/pos-carding.html
Image
mmon.exe: 0/42
86dd21b8388f23371d680e2632d0855b442f0fa7e93cd009d6e762715ba2d054.zip
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1618
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Mon Dec 03, 2012 9:54 am

More Troj/Trackr-Gen after some searchs, this time it install the stuff so no need to use sc.exe/services.msc
47d03fd75007f91af4efc39573164023 (35/46) - threatexpert
0f04ba8808ba884fa42daa91c399b24b (36/45) - threatexpert
64c9217c52b197256b16ebfb377d8d60 (34/45) - threatexpert
e0bb21ee1e846eab1ebbe901d6ce62a7 (37/46) - threatexpert
And one bin only named rdp instead of rdasrv, low detection ! bc955511e9382c0bea565d2c35fc98b5 (2/46)
Also about guys who redistribute malwares, i've no problem with that but give credit where you found that instead of ripping whole things.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1618
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Fri Dec 07, 2012 8:55 am

More samples, found on another infected POS
rdasrv: 31/45
unknown scraper: 03/45 <- probably the most interesting piece
another unknown: 0/45
http://www.xylibox.com/2012/12/point-of ... ppers.html
Have a nice friday.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1618
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Wed Dec 12, 2012 7:41 pm

Dexter - Draining blood out of Point of Sales: http://blog.seculert.com/2012/12/dexter ... nt-of.html
Samples in attach, will post some more if i find.
35/45
35/45
37/45
37/45
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1618
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Point-of-Sale malwares / RAM scrapers

Postby 360Tencent » Fri Dec 14, 2012 4:06 am

360Tencent
 
Posts: 114
Joined: Thu Dec 15, 2011 12:47 pm
Reputation point: 47

Re: Point-of-Sale malwares / RAM scrapers

Postby bsteo » Fri Dec 14, 2012 8:00 am

http://volatility-labs.blogspot.ro/2012 ... -dump.html

Wrote a little encoder/decoder for the data between bot and panel:

Code: Select all
<?php

//$encoded = 'Kw4SCQ==';
//$encoded = 'AwICB1VWVwRMUVVYVUxVUwAHTABWAFZMUVJTUlECWAVVVlVU';
//$encoded = 'NggPBQ4WEkE5MQ==';

$key = 'frtkj';

function xor_decode($text, $key) {
  $key_length = strlen($key);
  $encoded_data = base64_decode($text);
  $result = '';
  $length = strlen($encoded_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $encoded_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));
    }

    $result .= $tmp;
  }
  return $result;
}

function xor_encode($text, $key) {
  $key_length = strlen($key);
  $plain_data = $text;
  $result = '';
  $length = strlen($plain_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $plain_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));
    }

    $result .= $tmp;
  }
  $result = base64_encode($result);
  return $result;
}

// example
echo xor_decode('NggPBQ4WEkE5MQ', $key) . "\n";
echo xor_encode('Windows XP', $key) . "\n";
?>


I unpacked the EXE and played a little with it, seems the XOR decryption key is randomly generated and keeps generating itself after some POST's sent.
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Point-of-Sale malwares / RAM scrapers

Postby mikeinhouston » Fri Dec 14, 2012 10:50 pm

exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?
mikeinhouston
 
Posts: 5
Joined: Wed May 30, 2012 3:42 pm
Reputation point: 0

Re: Point-of-Sale malwares / RAM scrapers

Postby bsteo » Sat Dec 15, 2012 6:47 am

mikeinhouston wrote:exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?


Depends on sample, just looked at "cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785" dump and the KEY is located 8 bytes before the MUTEX name.

BTW, got anybody the PHP panel?

Anyway, I wrote a shitty but half-functional "gateway.php" to fully find out how the bot is functioning (everything work besides the commands, I didn't test them). PM if need the script.
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Sat Dec 15, 2012 8:12 am

If someone know an alive c&c for dexter i can try to hack it.
User avatar
Xylitol
Global Moderator
 
Posts: 1618
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 4 guests