Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1683
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sun Jun 08, 2014 8:25 am

Image Image
Bunch of POS Malwares in attach (JackPos/Soraya/rdasrv/mmon)...
for SetupX.exe the password of the installer is 'Rome0' and drop mmon and rdasrv into /system32/
http://vxvault.siri-urz.net/ViriList.ph ... .91.198.91

Code: Select all

Uname: Linux rome0.com 2.6.32-29-pve #1 SMP Thu Apr 24 10:03:02 CEST 2014 i686
$ last -f /var/log/wtmp
reboot   system boot  2.6.32-29-pve    Fri May 16 14:28 - 05:57 (22+15:29)
reboot   system boot  2.6.32-19-pve    Fri May 16 10:26 - 05:57 (22+19:31)
accounts pts/0        37.48.81.44      Thu Apr 24 18:55 - 13:54  (18:59)
reboot   system boot  2.6.32-19-pve    Sat Mar 15 11:08 - 10:07 (61+22:59)
root     pts/0        37.48.81.52      Sat Mar 15 10:56 - down   (00:11)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 09:00 - 11:07 (21+01:07)
root     pts/0        37.48.81.48      Sat Feb 22 07:28 - down   (01:32)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 07:27 - 09:00  (01:32)

wtmp begins Sat Feb 22 07:27:23 2014
Soraya:
https://www.virustotal.com/en/file/a776 ... 402224931/
https://www.virustotal.com/en/file/04b5 ... 402224932/
https://www.virustotal.com/en/file/c1a2 ... 402224934/
https://www.virustotal.com/en/file/33f0 ... 402225093/
https://www.virustotal.com/en/file/0866 ... 402225092/
JackPos:
https://www.virustotal.com/en/file/6347 ... 402225135/
mmon:
https://www.virustotal.com/en/file/7b31 ... 402225162/
bundled installer:
https://www.virustotal.com/en/file/6050 ... 402225205/
You do not have the required permissions to view the files attached to this post.
nielsgroeneveld
Posts: 4
Joined: Wed Mar 12, 2014 8:04 am

Fri Jun 13, 2014 7:50 am

It seems a new kind of POS malware is being used at the moment, which is labelled as ''POSCLOUD.Backdoor/Agent'' by IntelCrawler -

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
http://www.scmagazine.com/small-busines ... le/355301/

Title: Cloud-Based POS Software – “New Target for Hackers?”
Published Date: June 11, 2014
Reference Number: IC-INT-753
http://intelcrawler.com/intel/webpos.pdf

Has anyone seen samples of other relevant information such as MD5 hashes relating to ''POSCLOUD'' ?
dwsfra
Posts: 2
Joined: Sun Aug 25, 2013 7:34 pm

Wed Jul 09, 2014 10:10 pm

uCare, can you upload the unpacked bins of Soraya?
Thanks
User avatar
EP_X0FF
Global Moderator
Posts: 4887
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Jul 10, 2014 2:51 am

dwsfra wrote:uCare, can you upload the unpacked bins of Soraya?
Thanks
Soyara not Soraya.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Thu Jul 31, 2014 1:23 pm

Backoff Point-of-Sale Malware

http://www.us-cert.gov/ncas/alerts/TA14-212A
jgrunz
Posts: 4
Joined: Tue May 29, 2012 9:28 pm

Thu Jul 31, 2014 5:20 pm

Some further info about some of the technical components:

http://blog.spiderlabs.com/2014/07/back ... lysis.html

Overall, it's nothing too revolutionary, but it's an interesting family nontheless. The explorer.exe injection/persistence mechanism is pretty interesting for sure.
forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Thu Jul 31, 2014 8:28 pm

Couple of hashes from the article :

F5B4786C28CCF43E569CB21A6122A97E

17E1173F6FC7E920405F8DBDE8C9ECAC
You do not have the required permissions to view the files attached to this post.
uCares
Posts: 13
Joined: Sat Aug 20, 2011 12:13 am

Wed Aug 20, 2014 7:31 pm

You do not have the required permissions to view the files attached to this post.
cr33k
Posts: 3
Joined: Tue Aug 30, 2011 6:02 pm

Wed Aug 27, 2014 10:56 am

uCares wrote:Unpacked Backoff 1.55 AERO3
I have been analyzing this bin and have gotten it to connect to my test server and successfully execute 'Uninstall' and 'Terminate' commands but 'Download and Run' and 'Update' commands seem to fail even with ':' delimiter between command and parameter.

Anyways, I also did a test to see if it could grab track1/2 data and it did however I am still working on decrypting the sent data. I know its something along the lines of: RC4_decrypt(base64_decode("encrypteddata")"rc4key")

but I still cant figure it out.

Anyone?

I have written this script to test communication:

Code: Select all

<?php 

	$in_op 		= $_POST['op'];
	$in_id 		= $_POST['id'];
	$in_ui 		= $_POST['ui'];
	$in_wv 		= $_POST['wv'];
	$in_gr 		= $_POST['gr'];
	$in_bv 		= $_POST['bv'];
	$in_data 	= $_POST['data'];
	
	
	
	$File = "log.html"; 
	$Handle = fopen($File, 'a+');
	
	$Data = "</br><b>New Log:</b> </br>".$in_op."</br>".$in_id."</br>".$in_ui."</br>".$in_wv."</br>".$in_gr."</br>".$in_bv."</br>".$in_data."</br>";
	
	fwrite($Handle, $Data); 
	
//      Download and Run:http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe (Not working?why)
//      Uninstall

 	print "Thanks!"; 
	
	fclose($Handle); 
?>
cr33k
Posts: 3
Joined: Tue Aug 30, 2011 6:02 pm

Wed Aug 27, 2014 4:23 pm

New piece of Malware thats been making news lately for attacking pos terminals over RDP protocol.

Very detailed analysis here:

Code: Select all

http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html
https://www.virustotal.com/en/file/c984 ... 425435172/
You do not have the required permissions to view the files attached to this post.
Post Reply