The sample referenced by TrendMicro isn't BlackPOS. I wasn't going to call them out on it publicly, but then Krebs started grasping at straws and now everyone thinks it's BlackPOS v2.
http://blog.nuix.com/2014/09/08/blackpo ... nt-family/
Also, @creek You're correct about it Being RC4(Base64()). The key is derived from three pieces of data: 'id' parameter, a static string embedded in the binary, and the 'ui' parameter.
Example for 1.56 'LAST': ['id' parameter] vxeyHkS + jhgtsd7fjmytkr + ['ui' parameter] Josh @ PC123456 = 'vxeyHkSjhgtsd7fjmytkrJosh @ PC123456'. This string is MD5'ed ('56E15A1B3CB7116CAB0268AC8A2CD943'), and this is the key used for RC4 in this particular example. I detail it a bit over at http://blog.spiderlabs.com/2014/07/back ... lysis.html
. Hope this helps.