grum wrote:http://blog.trendmicro.com/trendlabs-se ... -accounts/I like this
old or new tricks by BlackPOS?
They could not choose nothing more disgraceful for the screenshot? security-intelligence rofl, oh wait, it is trendmicro, then ok.
A forum for reverse engineering, OS internals and malware analysis
They could not choose nothing more disgraceful for the screenshot? security-intelligence rofl, oh wait, it is trendmicro, then ok.
Ring0 - the source of inspiration
A lot of folks are calling this BlackPoS. The main basis for this is the unique-exfiltration techniques.
The t.bat file that is decoded from the Trend posting, uses a bitshift & XOR key.
The t.bat file that is decoded from the Trend posting, uses a bitshift & XOR key.
A sample of this would be neat to see...I'd like to see if the data exfiltration and C&C traffic are the same as the older BackOFF's.
The sample referenced by TrendMicro isn't BlackPOS. I wasn't going to call them out on it publicly, but then Krebs started grasping at straws and now everyone thinks it's BlackPOS v2.
http://blog.nuix.com/2014/09/08/blackpo ... nt-family/
Also, @creek You're correct about it Being RC4(Base64()). The key is derived from three pieces of data: 'id' parameter, a static string embedded in the binary, and the 'ui' parameter.
Example for 1.56 'LAST': ['id' parameter] vxeyHkS + jhgtsd7fjmytkr + ['ui' parameter] Josh @ PC123456 = 'vxeyHkSjhgtsd7fjmytkrJosh @ PC123456'. This string is MD5'ed ('56E15A1B3CB7116CAB0268AC8A2CD943'), and this is the key used for RC4 in this particular example. I detail it a bit over at http://blog.spiderlabs.com/2014/07/back ... lysis.html. Hope this helps.
http://blog.nuix.com/2014/09/08/blackpo ... nt-family/
Also, @creek You're correct about it Being RC4(Base64()). The key is derived from three pieces of data: 'id' parameter, a static string embedded in the binary, and the 'ui' parameter.
Example for 1.56 'LAST': ['id' parameter] vxeyHkS + jhgtsd7fjmytkr + ['ui' parameter] Josh @ PC123456 = 'vxeyHkSjhgtsd7fjmytkrJosh @ PC123456'. This string is MD5'ed ('56E15A1B3CB7116CAB0268AC8A2CD943'), and this is the key used for RC4 in this particular example. I detail it a bit over at http://blog.spiderlabs.com/2014/07/back ... lysis.html. Hope this helps.
PoS RAM scraper family :?:
Hi,
Are we all 'happy' that BlackPOS v2 is a 'real thing' and not just a hand waving argument that this or that sample is too different from BlackPOS?
Regards
Simon
Are we all 'happy' that BlackPOS v2 is a 'real thing' and not just a hand waving argument that this or that sample is too different from BlackPOS?
Regards
Simon
ROM – A New Version of the Backoff PoS Malware
http://blog.fortinet.com/post/rom-a-new ... os-malware
http://blog.fortinet.com/post/rom-a-new ... os-malware
Point-of-Sale Malware “d4re|dev1|” is Attacking Ticket Machines and Electronic Kiosks
https://www.intelcrawler.com/news-24
https://www.intelcrawler.com/news-24
LucyPos.A
http://securitykitten.github.io/lusypos-and-tor/
https://www.virustotal.com/en/file/d7a0 ... 419535669/
http://securitykitten.github.io/lusypos-and-tor/
https://www.virustotal.com/en/file/d7a0 ... 419535669/
Attachments
infected
(1.57 MiB) Downloaded 114 times
(1.57 MiB) Downloaded 114 times
