Tuesday, 6 March 2012
I got recently a package of files found in a infected POS (POS hacked due to a weak rdp password)
Interface of a compromised POS used by a jeweller:
out.exe is a Ardamax Keylogger (ardamax.com) and vui qua.exe is a SFX archive who display this picture when executed:
And drop Pefect Keylogger (blazingtools.com) behind.
"vui qua" might be a Vietnamese phrase which translated is "so funny".
These two keyloggers are probably useless for the carder, the interesting file here is "mmon.exe" a ram scraper.
It scan each and every process looking for CC dumps thats been written to memory Track 1, 2.
If a Point Of Sale device is connected to the computer it will grab it's card data right away.
How? POS always use end to end encryption, the only place where it's not encrypted are inside the memory.
But.. the memory have limited storage so it overwrites the data all the time.
It's also a problem for mmon, because this crap have no loop feature and does not write inside a file.
POS Carders usually use better malware than this, but i got this so...
test of mmon with a valid track two in memory
When a dump is found, the program do nothing with it, it just display the stuff on console.
The bad guys just connect to the POS via RDP, get dumps via mmon and write them out on magnetic stripe with a card writer.
Then use an embosser to make imprinted numbers on the card.
And it's ready to use... in USA (Type 101)
The ones we have in Europe are 201 cards (pin and chip)
101 only need to swipes the card in a store and the cashier checks the 4 last digits on the card if they are corect.
Carders also use printers like Fargo to make fake identities.
Anyway, a POS malware have a high price, it's not a business that everyone can do.