A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23820  by fade
 Mon Sep 08, 2014 11:02 pm
A lot of folks are calling this BlackPoS. The main basis for this is the unique-exfiltration techniques.

The t.bat file that is decoded from the Trend posting, uses a bitshift & XOR key.
 #23836  by jgrunz
 Tue Sep 09, 2014 4:47 pm
The sample referenced by TrendMicro isn't BlackPOS. I wasn't going to call them out on it publicly, but then Krebs started grasping at straws and now everyone thinks it's BlackPOS v2.

http://blog.nuix.com/2014/09/08/blackpo ... nt-family/

Also, @creek You're correct about it Being RC4(Base64()). The key is derived from three pieces of data: 'id' parameter, a static string embedded in the binary, and the 'ui' parameter.

Example for 1.56 'LAST': ['id' parameter] vxeyHkS + jhgtsd7fjmytkr + ['ui' parameter] Josh @ PC123456 = 'vxeyHkSjhgtsd7fjmytkrJosh @ PC123456'. This string is MD5'ed ('56E15A1B3CB7116CAB0268AC8A2CD943'), and this is the key used for RC4 in this particular example. I detail it a bit over at http://blog.spiderlabs.com/2014/07/back ... lysis.html. Hope this helps.
  • 1
  • 17
  • 18
  • 19
  • 20
  • 21
  • 25