Malware who target Point-of-Sale devices.
Available samples
Dexter, aka Infostealer.Dexter (Symantec): Samples from VISA (warning: some files are legit): vSkimmer, aka Infostealer.Vskim (Symantec): rdasrv, aka Win32/Spy.POSCardStealer.A (ESET): Win32/Spy.POSCardStealer.B (ESET): mmon, aka Win32/Spy.POSCardStealer.C (ESET): Alina, aka Win32/Spy.POSCardStealer.D (ESET): Win32/Spy.POSCardStealer.E (ESET): Alina, aka Win32/Spy.POSCardStealer.F (ESET): Petroleum, aka Win32/Spy.POSCardStealer.G (ESET): Petroleum, aka Win32/Spy.POSCardStealer.H (ESET): Alina, aka Win32/Spy.POSCardStealer.I (ESET): Alina, aka Win32/Spy.POSCardStealer.J (ESET): Card Recon, aka Win32:CardScan-A [PUP] (Avast): vSkimmer, aka Win32/Spy.POSCardStealer.K (ESET): Win32/Spy.POSCardStealer.L (ESET): Win32/Spy.POSCardStealer.M (ESET): Ree4 Dump Memory Grabber/BlackPOS aka Win32/Spy.POSCardStealer.N (ESET) and Pocardler.A: Alina aka Win32/Alinaos.A (Microsoft): ProjectHook aka Troj.Trackr-F: Win32/Spy.POSCardStealer.O (ESET): Alina aka Win32/Alinaos.B (ESET): ProjectHook mod aka Win32/Spy.POSCardStealer.P (ESET): ChewBacca aka Troj/Trackr-Z (Sophos): Win32/Spy.POSCardStealer.R (ESET): JackPos aka Infostealer.Jackpos (Symantec): Decebal aka Trojan.VBS.POSStealer.A (F-Secure): Decebal aka Win32/Spy.POSCardStealer.U (ESET): Fucked-up detections (POS Malwares but no AV recognise it as what it should be): Soraya/Karbus aka Trojan.Yorasa (Symantec): LogPOS aka Trojan.LogPOS (Malwarebytes): Backoff aka Win32:BackoffPOS-A [Trj] (Avast): BrutPOS aka W32/BrutPOS (Fortinet): NitlovePOS: AbaddonPOS: CenterPOS: TreasureHunt / TreasureHunter: How to trig samples Fake Track1, Track2 to trigg ram scrapper:
%B4111111111111111^KERNEL/MODE.INFO^2201101200567000000000404000000?Ressources
;4111111111111111=22011012005674040000?
Visa Data Security Alerts Bulletins: http://usa.visa.com/merchants/risk_mana ... l#anchor_2
Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html - http://blog.seculert.com/2012/12/dexter ... nt-of.html
Alina: http://blog.spiderlabs.com/2013/05/alin ... art-1.html - http://www.xylibox.com/2013/06/whos-behind-alina.html
mmon: http://www.xylibox.com/2012/03/pos-carding.html
rdasrv: http://nakedsecurity.sophos.com/2011/11 ... titutions/
Win32/Spy.POSCardStealer.B: http://www.xylibox.com/2012/12/point-of ... ppers.html
ProjectHook: http://www.xylibox.com/2013/05/projecth ... apper.html
Petroleum: http://aassfxxx.infos.st/article21/pos- ... m-scrapper - http://www.xylibox.com/2013/02/petroleu ... lware.html
BlackPOS: http://www.xylibox.com/2013/05/dump-mem ... ckpos.html - http://www.group-ib.com/index.php/o-kom ... cle&id=716
VSkimmer: http://www.xylibox.com/2013/01/vskimmer.html - http://blogs.mcafee.com/mcafee-labs/vsk ... -terminals
CardScan-A: http://www.xylibox.com/2013/02/youre-va ... arder.html
Inside a malware campaign: Alina + Dexter + Citadel: http://www.xylibox.com/2013/10/inside-m ... exter.html
Win32/Spy.POSCardStealer.O: http://www.xylibox.com/2013/12/win32spy ... n-pos.html
In attach: Troj/Trackr-Gen (http://nakedsecurity.sophos.com/2011/11 ... titutions/):
18/42 - 28/42 - 25/42 - 19/40 - 33/42
Attachments
infected
(321.51 KiB) Downloaded 370 times
(321.51 KiB) Downloaded 370 times
Last edited by Xylitol on Wed Jul 11, 2012 8:13 pm, edited 2 times in total.