[Xylitol]

Malware who target Point-of-Sale devices.

Available samples
Dexter, aka Infostealer.Dexter (Symantec):

• >>17147
• >>18077
• >>20380
• >>20877
• >>20899
• >>20905
• >>20924

Samples from VISA (warning: some files are legit):

• >>17302
• >>17339

vSkimmer, aka Infostealer.Vskim (Symantec):

• >>17863
• >>18283

rdasrv, aka Win32/Spy.POSCardStealer.A (ESET):

• >>14594
• >>14595
• >>16993
• >>17063
• >>18040
• >>18212

Win32/Spy.POSCardStealer.B (ESET):

• >>17063
• >>18006

mmon, aka Win32/Spy.POSCardStealer.C (ESET):

• >>14595

Alina, aka Win32/Spy.POSCardStealer.D (ESET):

• >>18006
• >>18008
• >>18010

Win32/Spy.POSCardStealer.E (ESET):

• >>18066

Alina, aka Win32/Spy.POSCardStealer.F (ESET):

• >>18082

Petroleum, aka Win32/Spy.POSCardStealer.G (ESET):

• >>17881
• >>17938

Petroleum, aka Win32/Spy.POSCardStealer.H (ESET):

• >>17881
• >>17938

Alina, aka Win32/Spy.POSCardStealer.I (ESET):

• >>18100
• >>18161
• >>19251

Alina, aka Win32/Spy.POSCardStealer.J (ESET):

• >>18101

Card Recon, aka Win32:CardScan-A [PUP] (Avast):

• >>18212

vSkimmer, aka Win32/Spy.POSCardStealer.K (ESET):

• >>18522

Win32/Spy.POSCardStealer.L (ESET):

• >>18679

Win32/Spy.POSCardStealer.M (ESET):

• >>18792

Ree4 Dump Memory Grabber/BlackPOS aka Win32/Spy.POSCardStealer.N (ESET) and Pocardler.A:

• >>18827
• >>19556

Alina aka Win32/Alinaos.A (Microsoft):

• >>19430

ProjectHook aka Troj.Trackr-F:

• >>19556
• >>22080

Win32/Spy.POSCardStealer.O (ESET):

• >>20475

Alina aka Win32/Alinaos.B (ESET):

• >>21516

ProjectHook mod aka Win32/Spy.POSCardStealer.P (ESET):

• >>20892

ChewBacca aka Troj/Trackr-Z (Sophos):

• >>22112

Win32/Spy.POSCardStealer.R (ESET):

• >>22147

JackPos aka Infostealer.Jackpos (Symantec):

• >>22150
• >>230644

Decebal aka Trojan.VBS.POSStealer.A (F-Secure):

• >>22045

Decebal aka Win32/Spy.POSCardStealer.U (ESET):

• >>22045

Fucked-up detections (POS Malwares but no AV recognise it as what it should be):

• >>21061 (Alina)
• >>22080 (Alina v7)

Soraya/Karbus aka Trojan.Yorasa (Symantec):

• >>23054
• >>23064

LogPOS aka Trojan.LogPOS (Malwarebytes):

• >>25380

Backoff aka Win32:BackoffPOS-A [Trj] (Avast):

• >>23650

BrutPOS aka W32/BrutPOS (Fortinet):

• >>23698

NitlovePOS:

• >>25922

AbaddonPOS:

• >>27219

CenterPOS:

• >>27778

TreasureHunt / TreasureHunter:

• >>28139

How to trig samples

• >>18059

Fake Track1, Track2 to trigg ram scrapper:

%B4111111111111111^KERNEL/MODE.INFO^2201101200567000000000404000000?
;4111111111111111=22011012005674040000?

Ressources
Visa Data Security Alerts Bulletins: http://usa.visa.com/merchants/risk_mana ... l#anchor_2
Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html - http://blog.seculert.com/2012/12/dexter ... nt-of.html
Alina: http://blog.spiderlabs.com/2013/05/alin ... art-1.html - http://www.xylibox.com/2013/06/whos-behind-alina.html
mmon: http://www.xylibox.com/2012/03/pos-carding.html
rdasrv: http://nakedsecurity.sophos.com/2011/11 ... titutions/
Win32/Spy.POSCardStealer.B: http://www.xylibox.com/2012/12/point-of ... ppers.html
ProjectHook: http://www.xylibox.com/2013/05/projecth ... apper.html
Petroleum: http://aassfxxx.infos.st/article21/pos- ... m-scrapper - http://www.xylibox.com/2013/02/petroleu ... lware.html
BlackPOS: http://www.xylibox.com/2013/05/dump-mem ... ckpos.html - http://www.group-ib.com/index.php/o-kom ... cle&id=716
VSkimmer: http://www.xylibox.com/2013/01/vskimmer.html - http://blogs.mcafee.com/mcafee-labs/vsk ... -terminals
CardScan-A: http://www.xylibox.com/2013/02/youre-va ... arder.html
Inside a malware campaign: Alina + Dexter + Citadel: http://www.xylibox.com/2013/10/inside-m ... exter.html
Win32/Spy.POSCardStealer.O: http://www.xylibox.com/2013/12/win32spy ... n-pos.html

In attach: Troj/Trackr-Gen (http://nakedsecurity.sophos.com/2011/11 ... titutions/):
18/42 - 28/42 - 25/42 - 19/40 - 33/42

[Xylitol]

Various Malicious/Suspicious files (i got hashs from here: http://www.firstdata.com/downloads/part ... upport.pdf)

rdasrv.exe.ViR: 20/41 (Troj/Trackr-A)
compenum.exe.ViR: 0/41
compenum2.exe.ViR: 0/42
dnsmgr.exe.ViR: 9/42
dnsmgr2.exe.ViR: 11/41
far.exe.ViR: 0/42
far2.exe.ViR: 0/42
install.bat.ViR: 0/42
lanst.exe.ViR: 8/42
lanst2.exe.ViR: 0/40
RamDDumper.exe.ViR: 0/41
mdirmon.exe.ViR: 2/42
netshares.exe.ViR: 10/42
parser.exe.ViR: 0/42
psexec.exe.ViR: 1/42 (not malicious)
shareenum.exe.ViR: 0/42
WinMgmt.exe.ViR: 17/42 (Mal/Servus-A)

POS_1.zip

infected
(3.34 MiB) Downloaded 353 times

POS_2.zip

infected
(2.99 MiB) Downloaded 309 times

--
http://www.xylibox.com/2012/03/pos-carding.html

mmon.exe: 0/42

86dd21b8388f23371d680e2632d0855b442f0fa7e93cd009d6e762715ba2d054.zip

infected
(80.62 KiB) Downloaded 299 times

[Xylitol]

More Troj/Trackr-Gen after some searchs, this time it install the stuff so no need to use sc.exe/services.msc
47d03fd75007f91af4efc39573164023 (35/46) - threatexpert
0f04ba8808ba884fa42daa91c399b24b (36/45) - threatexpert
64c9217c52b197256b16ebfb377d8d60 (34/45) - threatexpert
e0bb21ee1e846eab1ebbe901d6ce62a7 (37/46) - threatexpert
And one bin only named rdp instead of rdasrv, low detection ! bc955511e9382c0bea565d2c35fc98b5 (2/46)
Also about guys who redistribute malwares, i've no problem with that but give credit where you found that instead of ripping whole things.

[Xylitol]

More samples, found on another infected POS
rdasrv: 31/45
unknown scraper: 03/45 <- probably the most interesting piece
another unknown: 0/45
http://www.xylibox.com/2012/12/point-of ... ppers.html
Have a nice friday.

[Xylitol]

Dexter - Draining blood out of Point of Sales: http://blog.seculert.com/2012/12/dexter ... nt-of.html
Samples in attach, will post some more if i find.
35/45
35/45
37/45
37/45

[360Tencent]

http://blog.spiderlabs.com/2012/12/the- ... dirty.html

[bsteo]

http://volatility-labs.blogspot.ro/2012 ... -dump.html

Wrote a little encoder/decoder for the data between bot and panel:

Code: Select all

<?php

//$encoded = 'Kw4SCQ==';
//$encoded = 'AwICB1VWVwRMUVVYVUxVUwAHTABWAFZMUVJTUlECWAVVVlVU';
//$encoded = 'NggPBQ4WEkE5MQ==';

$key = 'frtkj';

function xor_decode($text, $key) {
  $key_length = strlen($key);
  $encoded_data = base64_decode($text);
  $result = '';
  $length = strlen($encoded_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $encoded_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));
    }

    $result .= $tmp;
  }
  return $result;
}

function xor_encode($text, $key) {
  $key_length = strlen($key);
  $plain_data = $text;
  $result = '';
  $length = strlen($plain_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $plain_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));
    }

    $result .= $tmp;
  }
  $result = base64_encode($result);
  return $result;
}

// example
echo xor_decode('NggPBQ4WEkE5MQ', $key) . "\n";
echo xor_encode('Windows XP', $key) . "\n";
?>

I unpacked the EXE and played a little with it, seems the XOR decryption key is randomly generated and keeps generating itself after some POST's sent.

[mikeinhouston]

exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?

[bsteo]

exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?

Depends on sample, just looked at "cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785" dump and the KEY is located 8 bytes before the MUTEX name.

BTW, got anybody the PHP panel?

Anyway, I wrote a shitty but half-functional "gateway.php" to fully find out how the bot is functioning (everything work besides the commands, I didn't test them). PM if need the script.

[Xylitol]

If someone know an alive c&c for dexter i can try to hack it.