Page 18 of 25

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Sun Jun 08, 2014 8:25 am
by Xylitol
Image Image
Bunch of POS Malwares in attach (JackPos/Soraya/rdasrv/mmon)...
for SetupX.exe the password of the installer is 'Rome0' and drop mmon and rdasrv into /system32/
http://vxvault.siri-urz.net/ViriList.ph ... .91.198.91
Code: Select all
Uname: Linux rome0.com 2.6.32-29-pve #1 SMP Thu Apr 24 10:03:02 CEST 2014 i686
$ last -f /var/log/wtmp
reboot   system boot  2.6.32-29-pve    Fri May 16 14:28 - 05:57 (22+15:29)
reboot   system boot  2.6.32-19-pve    Fri May 16 10:26 - 05:57 (22+19:31)
accounts pts/0        37.48.81.44      Thu Apr 24 18:55 - 13:54  (18:59)
reboot   system boot  2.6.32-19-pve    Sat Mar 15 11:08 - 10:07 (61+22:59)
root     pts/0        37.48.81.52      Sat Mar 15 10:56 - down   (00:11)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 09:00 - 11:07 (21+01:07)
root     pts/0        37.48.81.48      Sat Feb 22 07:28 - down   (01:32)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 07:27 - 09:00  (01:32)

wtmp begins Sat Feb 22 07:27:23 2014
Soraya:
https://www.virustotal.com/en/file/a776 ... 402224931/
https://www.virustotal.com/en/file/04b5 ... 402224932/
https://www.virustotal.com/en/file/c1a2 ... 402224934/
https://www.virustotal.com/en/file/33f0 ... 402225093/
https://www.virustotal.com/en/file/0866 ... 402225092/
JackPos:
https://www.virustotal.com/en/file/6347 ... 402225135/
mmon:
https://www.virustotal.com/en/file/7b31 ... 402225162/
bundled installer:
https://www.virustotal.com/en/file/6050 ... 402225205/

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Fri Jun 13, 2014 7:50 am
by nielsgroeneveld
It seems a new kind of POS malware is being used at the moment, which is labelled as ''POSCLOUD.Backdoor/Agent'' by IntelCrawler -

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
http://www.scmagazine.com/small-busines ... le/355301/

Title: Cloud-Based POS Software – “New Target for Hackers?”
Published Date: June 11, 2014
Reference Number: IC-INT-753
http://intelcrawler.com/intel/webpos.pdf

Has anyone seen samples of other relevant information such as MD5 hashes relating to ''POSCLOUD'' ?

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Wed Jul 09, 2014 10:10 pm
by dwsfra
uCare, can you upload the unpacked bins of Soraya?
Thanks

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Thu Jul 10, 2014 2:51 am
by EP_X0FF
dwsfra wrote:uCare, can you upload the unpacked bins of Soraya?
Thanks
Soyara not Soraya.

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Thu Jul 31, 2014 1:23 pm
by rkhunter
Backoff Point-of-Sale Malware

http://www.us-cert.gov/ncas/alerts/TA14-212A

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Thu Jul 31, 2014 5:20 pm
by jgrunz
Some further info about some of the technical components:

http://blog.spiderlabs.com/2014/07/back ... lysis.html

Overall, it's nothing too revolutionary, but it's an interesting family nontheless. The explorer.exe injection/persistence mechanism is pretty interesting for sure.

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Thu Jul 31, 2014 8:28 pm
by forty-six
Couple of hashes from the article :

F5B4786C28CCF43E569CB21A6122A97E

17E1173F6FC7E920405F8DBDE8C9ECAC

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Wed Aug 20, 2014 7:31 pm
by uCares

Re: Point-of-Sale malwares / RAM scrapers

PostPosted:Wed Aug 27, 2014 10:56 am
by cr33k
uCares wrote:Unpacked Backoff 1.55 AERO3
I have been analyzing this bin and have gotten it to connect to my test server and successfully execute 'Uninstall' and 'Terminate' commands but 'Download and Run' and 'Update' commands seem to fail even with ':' delimiter between command and parameter.

Anyways, I also did a test to see if it could grab track1/2 data and it did however I am still working on decrypting the sent data. I know its something along the lines of: RC4_decrypt(base64_decode("encrypteddata")"rc4key")

but I still cant figure it out.

Anyone?

I have written this script to test communication:
Code: Select all
<?php 

	$in_op 		= $_POST['op'];
	$in_id 		= $_POST['id'];
	$in_ui 		= $_POST['ui'];
	$in_wv 		= $_POST['wv'];
	$in_gr 		= $_POST['gr'];
	$in_bv 		= $_POST['bv'];
	$in_data 	= $_POST['data'];
	
	
	
	$File = "log.html"; 
	$Handle = fopen($File, 'a+');
	
	$Data = "</br><b>New Log:</b> </br>".$in_op."</br>".$in_id."</br>".$in_ui."</br>".$in_wv."</br>".$in_gr."</br>".$in_bv."</br>".$in_data."</br>";
	
	fwrite($Handle, $Data); 
	
//      Download and Run:http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe (Not working?why)
//      Uninstall

 	print "Thanks!"; 
	
	fclose($Handle); 
?>

BrutPOS

PostPosted:Wed Aug 27, 2014 4:23 pm
by cr33k
New piece of Malware thats been making news lately for attacking pos terminals over RDP protocol.

Very detailed analysis here:
Code: Select all
http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html
https://www.virustotal.com/en/file/c984 ... 425435172/