[Xylitol]

Bunch of POS Malwares in attach (JackPos/Soraya/rdasrv/mmon)...
for SetupX.exe the password of the installer is 'Rome0' and drop mmon and rdasrv into /system32/
http://vxvault.siri-urz.net/ViriList.ph ... .91.198.91

Code: Select all

Uname: Linux rome0.com 2.6.32-29-pve #1 SMP Thu Apr 24 10:03:02 CEST 2014 i686
$ last -f /var/log/wtmp
reboot   system boot  2.6.32-29-pve    Fri May 16 14:28 - 05:57 (22+15:29)
reboot   system boot  2.6.32-19-pve    Fri May 16 10:26 - 05:57 (22+19:31)
accounts pts/0        37.48.81.44      Thu Apr 24 18:55 - 13:54  (18:59)
reboot   system boot  2.6.32-19-pve    Sat Mar 15 11:08 - 10:07 (61+22:59)
root     pts/0        37.48.81.52      Sat Mar 15 10:56 - down   (00:11)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 09:00 - 11:07 (21+01:07)
root     pts/0        37.48.81.48      Sat Feb 22 07:28 - down   (01:32)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 07:27 - 09:00  (01:32)

wtmp begins Sat Feb 22 07:27:23 2014

Soraya:
https://www.virustotal.com/en/file/a776 ... 402224931/
https://www.virustotal.com/en/file/04b5 ... 402224932/
https://www.virustotal.com/en/file/c1a2 ... 402224934/
https://www.virustotal.com/en/file/33f0 ... 402225093/
https://www.virustotal.com/en/file/0866 ... 402225092/
JackPos:
https://www.virustotal.com/en/file/6347 ... 402225135/
mmon:
https://www.virustotal.com/en/file/7b31 ... 402225162/
bundled installer:
https://www.virustotal.com/en/file/6050 ... 402225205/

[nielsgroeneveld]

It seems a new kind of POS malware is being used at the moment, which is labelled as ''POSCLOUD.Backdoor/Agent'' by IntelCrawler -

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
http://www.scmagazine.com/small-busines ... le/355301/

Title: Cloud-Based POS Software – “New Target for Hackers?”
Published Date: June 11, 2014
Reference Number: IC-INT-753
http://intelcrawler.com/intel/webpos.pdf

Has anyone seen samples of other relevant information such as MD5 hashes relating to ''POSCLOUD'' ?

[dwsfra]

uCare, can you upload the unpacked bins of Soraya?
Thanks

[EP_X0FF]

uCare, can you upload the unpacked bins of Soraya?
Thanks

Soyara not Soraya.

[rkhunter]

Backoff Point-of-Sale Malware

http://www.us-cert.gov/ncas/alerts/TA14-212A

[jgrunz]

Some further info about some of the technical components:

http://blog.spiderlabs.com/2014/07/back ... lysis.html

Overall, it's nothing too revolutionary, but it's an interesting family nontheless. The explorer.exe injection/persistence mechanism is pretty interesting for sure.

[forty-six]

Couple of hashes from the article :

F5B4786C28CCF43E569CB21A6122A97E

17E1173F6FC7E920405F8DBDE8C9ECAC

[uCares]

Unpacked Backoff 1.55 AERO3
https://www.virustotal.com/en/file/6b0f ... 425435349/

[cr33k]

Unpacked Backoff 1.55 AERO3

I have been analyzing this bin and have gotten it to connect to my test server and successfully execute 'Uninstall' and 'Terminate' commands but 'Download and Run' and 'Update' commands seem to fail even with ':' delimiter between command and parameter.

Anyways, I also did a test to see if it could grab track1/2 data and it did however I am still working on decrypting the sent data. I know its something along the lines of: RC4_decrypt(base64_decode("encrypteddata")"rc4key")

but I still cant figure it out.

Anyone?

I have written this script to test communication:

Code: Select all

<?php 

	$in_op 		= $_POST['op'];
	$in_id 		= $_POST['id'];
	$in_ui 		= $_POST['ui'];
	$in_wv 		= $_POST['wv'];
	$in_gr 		= $_POST['gr'];
	$in_bv 		= $_POST['bv'];
	$in_data 	= $_POST['data'];
	
	
	
	$File = "log.html"; 
	$Handle = fopen($File, 'a+');
	
	$Data = "</br><b>New Log:</b> </br>".$in_op."</br>".$in_id."</br>".$in_ui."</br>".$in_wv."</br>".$in_gr."</br>".$in_bv."</br>".$in_data."</br>";
	
	fwrite($Handle, $Data); 
	
//      Download and Run:http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe (Not working?why)
//      Uninstall

 	print "Thanks!"; 
	
	fclose($Handle); 
?>

[cr33k]

New piece of Malware thats been making news lately for attacking pos terminals over RDP protocol.

Very detailed analysis here:

Code: Select all

http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html

https://www.virustotal.com/en/file/c984 ... 425435172/