A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14594  by Xylitol
 Wed Jul 11, 2012 7:12 pm
Malware who target Point-of-Sale devices.

Available samples
Dexter, aka Infostealer.Dexter (Symantec): Samples from VISA (warning: some files are legit): vSkimmer, aka Infostealer.Vskim (Symantec): rdasrv, aka Win32/Spy.POSCardStealer.A (ESET): Win32/Spy.POSCardStealer.B (ESET): mmon, aka Win32/Spy.POSCardStealer.C (ESET): Alina, aka Win32/Spy.POSCardStealer.D (ESET): Win32/Spy.POSCardStealer.E (ESET): Alina, aka Win32/Spy.POSCardStealer.F (ESET): Petroleum, aka Win32/Spy.POSCardStealer.G (ESET): Petroleum, aka Win32/Spy.POSCardStealer.H (ESET): Alina, aka Win32/Spy.POSCardStealer.I (ESET): Alina, aka Win32/Spy.POSCardStealer.J (ESET): Card Recon, aka Win32:CardScan-A [PUP] (Avast): vSkimmer, aka Win32/Spy.POSCardStealer.K (ESET): Win32/Spy.POSCardStealer.L (ESET): Win32/Spy.POSCardStealer.M (ESET): Ree4 Dump Memory Grabber/BlackPOS aka Win32/Spy.POSCardStealer.N (ESET) and Pocardler.A: Alina aka Win32/Alinaos.A (Microsoft): ProjectHook aka Troj.Trackr-F: Win32/Spy.POSCardStealer.O (ESET): Alina aka Win32/Alinaos.B (ESET): ProjectHook mod aka Win32/Spy.POSCardStealer.P (ESET): ChewBacca aka Troj/Trackr-Z (Sophos): Win32/Spy.POSCardStealer.R (ESET): JackPos aka Infostealer.Jackpos (Symantec): Decebal aka Trojan.VBS.POSStealer.A (F-Secure): Decebal aka Win32/Spy.POSCardStealer.U (ESET): Fucked-up detections (POS Malwares but no AV recognise it as what it should be): Soraya/Karbus aka Trojan.Yorasa (Symantec): LogPOS aka Trojan.LogPOS (Malwarebytes): Backoff aka Win32:BackoffPOS-A [Trj] (Avast): BrutPOS aka W32/BrutPOS (Fortinet): NitlovePOS: AbaddonPOS: CenterPOS: TreasureHunt / TreasureHunter: How to trig samples Fake Track1, Track2 to trigg ram scrapper:
Visa Data Security Alerts Bulletins: http://usa.visa.com/merchants/risk_mana ... l#anchor_2
Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html - http://blog.seculert.com/2012/12/dexter ... nt-of.html
Alina: http://blog.spiderlabs.com/2013/05/alin ... art-1.html - http://www.xylibox.com/2013/06/whos-behind-alina.html
mmon: http://www.xylibox.com/2012/03/pos-carding.html
rdasrv: http://nakedsecurity.sophos.com/2011/11 ... titutions/
Win32/Spy.POSCardStealer.B: http://www.xylibox.com/2012/12/point-of ... ppers.html
ProjectHook: http://www.xylibox.com/2013/05/projecth ... apper.html
Petroleum: http://aassfxxx.infos.st/article21/pos- ... m-scrapper - http://www.xylibox.com/2013/02/petroleu ... lware.html
BlackPOS: http://www.xylibox.com/2013/05/dump-mem ... ckpos.html - http://www.group-ib.com/index.php/o-kom ... cle&id=716
VSkimmer: http://www.xylibox.com/2013/01/vskimmer.html - http://blogs.mcafee.com/mcafee-labs/vsk ... -terminals
CardScan-A: http://www.xylibox.com/2013/02/youre-va ... arder.html
Inside a malware campaign: Alina + Dexter + Citadel: http://www.xylibox.com/2013/10/inside-m ... exter.html
Win32/Spy.POSCardStealer.O: http://www.xylibox.com/2013/12/win32spy ... n-pos.html

In attach: Troj/Trackr-Gen (http://nakedsecurity.sophos.com/2011/11 ... titutions/):
18/42 - 28/42 - 25/42 - 19/40 - 33/42
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed Jul 11, 2012 8:13 pm, edited 2 times in total.
 #14595  by Xylitol
 Wed Jul 11, 2012 8:04 pm
Various Malicious/Suspicious files (i got hashs from here: http://www.firstdata.com/downloads/part ... upport.pdf)

rdasrv.exe.ViR: 20/41 (Troj/Trackr-A)
compenum.exe.ViR: 0/41
compenum2.exe.ViR: 0/42
dnsmgr.exe.ViR: 9/42
dnsmgr2.exe.ViR: 11/41
far.exe.ViR: 0/42
far2.exe.ViR: 0/42
install.bat.ViR: 0/42
lanst.exe.ViR: 8/42
lanst2.exe.ViR: 0/40
RamDDumper.exe.ViR: 0/41
mdirmon.exe.ViR: 2/42
netshares.exe.ViR: 10/42
parser.exe.ViR: 0/42
psexec.exe.ViR: 1/42 (not malicious)
shareenum.exe.ViR: 0/42
WinMgmt.exe.ViR: 17/42 (Mal/Servus-A)
mmon.exe: 0/42
You do not have the required permissions to view the files attached to this post.
 #16993  by Xylitol
 Mon Dec 03, 2012 9:54 am
More Troj/Trackr-Gen after some searchs, this time it install the stuff so no need to use sc.exe/services.msc
47d03fd75007f91af4efc39573164023 (35/46) - threatexpert
0f04ba8808ba884fa42daa91c399b24b (36/45) - threatexpert
64c9217c52b197256b16ebfb377d8d60 (34/45) - threatexpert
e0bb21ee1e846eab1ebbe901d6ce62a7 (37/46) - threatexpert
And one bin only named rdp instead of rdasrv, low detection ! bc955511e9382c0bea565d2c35fc98b5 (2/46)
Also about guys who redistribute malwares, i've no problem with that but give credit where you found that instead of ripping whole things.
You do not have the required permissions to view the files attached to this post.
 #17063  by Xylitol
 Fri Dec 07, 2012 8:55 am
More samples, found on another infected POS
rdasrv: 31/45
unknown scraper: 03/45 <- probably the most interesting piece
another unknown: 0/45
http://www.xylibox.com/2012/12/point-of ... ppers.html
Have a nice friday.
You do not have the required permissions to view the files attached to this post.
 #17147  by Xylitol
 Wed Dec 12, 2012 7:41 pm
Dexter - Draining blood out of Point of Sales: http://blog.seculert.com/2012/12/dexter ... nt-of.html
Samples in attach, will post some more if i find.
You do not have the required permissions to view the files attached to this post.
 #17168  by bsteo
 Fri Dec 14, 2012 8:00 am
http://volatility-labs.blogspot.ro/2012 ... -dump.html

Wrote a little encoder/decoder for the data between bot and panel:
Code: Select all

//$encoded = 'Kw4SCQ==';
//$encoded = 'NggPBQ4WEkE5MQ==';

$key = 'frtkj';

function xor_decode($text, $key) {
  $key_length = strlen($key);
  $encoded_data = base64_decode($text);
  $result = '';
  $length = strlen($encoded_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $encoded_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));

    $result .= $tmp;
  return $result;

function xor_encode($text, $key) {
  $key_length = strlen($key);
  $plain_data = $text;
  $result = '';
  $length = strlen($plain_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $plain_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));

    $result .= $tmp;
  $result = base64_encode($result);
  return $result;

// example
echo xor_decode('NggPBQ4WEkE5MQ', $key) . "\n";
echo xor_encode('Windows XP', $key) . "\n";
I unpacked the EXE and played a little with it, seems the XOR decryption key is randomly generated and keeps generating itself after some POST's sent.
 #17188  by bsteo
 Sat Dec 15, 2012 6:47 am
mikeinhouston wrote:exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?
Depends on sample, just looked at "cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785" dump and the KEY is located 8 bytes before the MUTEX name.

BTW, got anybody the PHP panel?

Anyway, I wrote a shitty but half-functional "gateway.php" to fully find out how the bot is functioning (everything work besides the commands, I didn't test them). PM if need the script.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25