A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14594  by Xylitol
 Wed Jul 11, 2012 7:12 pm
Image
Malware who target Point-of-Sale devices.

Available samples
Dexter, aka Infostealer.Dexter (Symantec): Samples from VISA (warning: some files are legit): vSkimmer, aka Infostealer.Vskim (Symantec): rdasrv, aka Win32/Spy.POSCardStealer.A (ESET): Win32/Spy.POSCardStealer.B (ESET): mmon, aka Win32/Spy.POSCardStealer.C (ESET): Alina, aka Win32/Spy.POSCardStealer.D (ESET): Win32/Spy.POSCardStealer.E (ESET): Alina, aka Win32/Spy.POSCardStealer.F (ESET): Petroleum, aka Win32/Spy.POSCardStealer.G (ESET): Petroleum, aka Win32/Spy.POSCardStealer.H (ESET): Alina, aka Win32/Spy.POSCardStealer.I (ESET): Alina, aka Win32/Spy.POSCardStealer.J (ESET): Card Recon, aka Win32:CardScan-A [PUP] (Avast): vSkimmer, aka Win32/Spy.POSCardStealer.K (ESET): Win32/Spy.POSCardStealer.L (ESET): Win32/Spy.POSCardStealer.M (ESET): Ree4 Dump Memory Grabber/BlackPOS aka Win32/Spy.POSCardStealer.N (ESET) and Pocardler.A: Alina aka Win32/Alinaos.A (Microsoft): ProjectHook aka Troj.Trackr-F: Win32/Spy.POSCardStealer.O (ESET): Alina aka Win32/Alinaos.B (ESET): ProjectHook mod aka Win32/Spy.POSCardStealer.P (ESET): ChewBacca aka Troj/Trackr-Z (Sophos): Win32/Spy.POSCardStealer.R (ESET): JackPos aka Infostealer.Jackpos (Symantec): Decebal aka Trojan.VBS.POSStealer.A (F-Secure): Decebal aka Win32/Spy.POSCardStealer.U (ESET): Fucked-up detections (POS Malwares but no AV recognise it as what it should be): Soraya/Karbus aka Trojan.Yorasa (Symantec): LogPOS aka Trojan.LogPOS (Malwarebytes): Backoff aka Win32:BackoffPOS-A [Trj] (Avast): BrutPOS aka W32/BrutPOS (Fortinet): NitlovePOS: AbaddonPOS: CenterPOS: TreasureHunt / TreasureHunter: How to trig samples Fake Track1, Track2 to trigg ram scrapper:
%B4111111111111111^KERNEL/MODE.INFO^2201101200567000000000404000000?
;4111111111111111=22011012005674040000?
Ressources
Visa Data Security Alerts Bulletins: http://usa.visa.com/merchants/risk_mana ... l#anchor_2
Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html - http://blog.seculert.com/2012/12/dexter ... nt-of.html
Alina: http://blog.spiderlabs.com/2013/05/alin ... art-1.html - http://www.xylibox.com/2013/06/whos-behind-alina.html
mmon: http://www.xylibox.com/2012/03/pos-carding.html
rdasrv: http://nakedsecurity.sophos.com/2011/11 ... titutions/
Win32/Spy.POSCardStealer.B: http://www.xylibox.com/2012/12/point-of ... ppers.html
ProjectHook: http://www.xylibox.com/2013/05/projecth ... apper.html
Petroleum: http://aassfxxx.infos.st/article21/pos- ... m-scrapper - http://www.xylibox.com/2013/02/petroleu ... lware.html
BlackPOS: http://www.xylibox.com/2013/05/dump-mem ... ckpos.html - http://www.group-ib.com/index.php/o-kom ... cle&id=716
VSkimmer: http://www.xylibox.com/2013/01/vskimmer.html - http://blogs.mcafee.com/mcafee-labs/vsk ... -terminals
CardScan-A: http://www.xylibox.com/2013/02/youre-va ... arder.html
Inside a malware campaign: Alina + Dexter + Citadel: http://www.xylibox.com/2013/10/inside-m ... exter.html
Win32/Spy.POSCardStealer.O: http://www.xylibox.com/2013/12/win32spy ... n-pos.html

In attach: Troj/Trackr-Gen (http://nakedsecurity.sophos.com/2011/11 ... titutions/):
18/42 - 28/42 - 25/42 - 19/40 - 33/42
Attachments
infected
(321.51 KiB) Downloaded 370 times
Last edited by Xylitol on Wed Jul 11, 2012 8:13 pm, edited 2 times in total.
 #14595  by Xylitol
 Wed Jul 11, 2012 8:04 pm
Various Malicious/Suspicious files (i got hashs from here: http://www.firstdata.com/downloads/part ... upport.pdf)

rdasrv.exe.ViR: 20/41 (Troj/Trackr-A)
compenum.exe.ViR: 0/41
compenum2.exe.ViR: 0/42
dnsmgr.exe.ViR: 9/42
dnsmgr2.exe.ViR: 11/41
far.exe.ViR: 0/42
far2.exe.ViR: 0/42
install.bat.ViR: 0/42
lanst.exe.ViR: 8/42
lanst2.exe.ViR: 0/40
RamDDumper.exe.ViR: 0/41
mdirmon.exe.ViR: 2/42
netshares.exe.ViR: 10/42
parser.exe.ViR: 0/42
psexec.exe.ViR: 1/42 (not malicious)
shareenum.exe.ViR: 0/42
WinMgmt.exe.ViR: 17/42 (Mal/Servus-A)
infected
(3.34 MiB) Downloaded 354 times
infected
(2.99 MiB) Downloaded 310 times
--
http://www.xylibox.com/2012/03/pos-carding.html
Image
mmon.exe: 0/42
 #16993  by Xylitol
 Mon Dec 03, 2012 9:54 am
More Troj/Trackr-Gen after some searchs, this time it install the stuff so no need to use sc.exe/services.msc
47d03fd75007f91af4efc39573164023 (35/46) - threatexpert
0f04ba8808ba884fa42daa91c399b24b (36/45) - threatexpert
64c9217c52b197256b16ebfb377d8d60 (34/45) - threatexpert
e0bb21ee1e846eab1ebbe901d6ce62a7 (37/46) - threatexpert
And one bin only named rdp instead of rdasrv, low detection ! bc955511e9382c0bea565d2c35fc98b5 (2/46)
Also about guys who redistribute malwares, i've no problem with that but give credit where you found that instead of ripping whole things.
Attachments
infected
(1.58 MiB) Downloaded 283 times
 #17063  by Xylitol
 Fri Dec 07, 2012 8:55 am
More samples, found on another infected POS
rdasrv: 31/45
unknown scraper: 03/45 <- probably the most interesting piece
another unknown: 0/45
http://www.xylibox.com/2012/12/point-of ... ppers.html
Have a nice friday.
Attachments
infected
(197.95 KiB) Downloaded 313 times
 #17147  by Xylitol
 Wed Dec 12, 2012 7:41 pm
Dexter - Draining blood out of Point of Sales: http://blog.seculert.com/2012/12/dexter ... nt-of.html
Samples in attach, will post some more if i find.
35/45
35/45
37/45
37/45
Attachments
infected
(152.27 KiB) Downloaded 529 times
 #17168  by bsteo
 Fri Dec 14, 2012 8:00 am
http://volatility-labs.blogspot.ro/2012 ... -dump.html

Wrote a little encoder/decoder for the data between bot and panel:
Code: Select all
<?php

//$encoded = 'Kw4SCQ==';
//$encoded = 'AwICB1VWVwRMUVVYVUxVUwAHTABWAFZMUVJTUlECWAVVVlVU';
//$encoded = 'NggPBQ4WEkE5MQ==';

$key = 'frtkj';

function xor_decode($text, $key) {
  $key_length = strlen($key);
  $encoded_data = base64_decode($text);
  $result = '';
  $length = strlen($encoded_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $encoded_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));
    }

    $result .= $tmp;
  }
  return $result;
}

function xor_encode($text, $key) {
  $key_length = strlen($key);
  $plain_data = $text;
  $result = '';
  $length = strlen($plain_data);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $plain_data[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($key[$j]));
    }

    $result .= $tmp;
  }
  $result = base64_encode($result);
  return $result;
}

// example
echo xor_decode('NggPBQ4WEkE5MQ', $key) . "\n";
echo xor_encode('Windows XP', $key) . "\n";
?>
I unpacked the EXE and played a little with it, seems the XOR decryption key is randomly generated and keeps generating itself after some POST's sent.
 #17188  by bsteo
 Sat Dec 15, 2012 6:47 am
mikeinhouston wrote:exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?
Depends on sample, just looked at "cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785" dump and the KEY is located 8 bytes before the MUTEX name.

BTW, got anybody the PHP panel?

Anyway, I wrote a shitty but half-functional "gateway.php" to fully find out how the bot is functioning (everything work besides the commands, I didn't test them). PM if need the script.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25