Nothing really new on this just..:
Of course i don't infect a machine just to monitor Alina activities, i've made a primitive program who run on my VPS.
The app just send POST requests to the C&C like Alina do and grab the response, i do that as well for several others malwares.
It's the best way i've found for the moment to monitors stuff without compromissing a vm just for one malware.
Fun fact: Alina have various feature but i've always see 'Update and 'Download exe' feature used.
Various trash logs from Visual Studio found on the sample:
Maybe it's time
Alina: Casting a Shadow on POS
Alina: Following The Shadow Part 1
Alina: Following The Shadow Part 2
Because my last post start to be outdated for the actual version pushed by Alina actor(s)
Now for the C&C a new one was made for this update:
Still on the same server various other Alina C&C are or was on it:
Alina is also in relation with Citadel, for example the domain zwaonoiy.com got sinkholed.
But what's mean 'dpt' and why ?
Probably a shortcut to a carding guys know as deputat:
Who run... a dump shop
Why did he started to go public with this? i've still no idea, but there is several rumors about a Alina guys that he plan to sell this publicly (according to darkode pm)
If you have read the part 2 of Spiderlabs, you see that Alina hooks itself to every process, that the reason of duplicates.
Logs of one POS:
Sometimes scrapping ram in research of track2 can produce random data, not credit cards.
A bin is the first 6 digits of a credit card, this export filter compare those bins to be sure it's a 'valid' credit card.
Most of POS malware who use the luhn algorithm have this problem: 00000000000000000 or 4444444444444444 who got grabbed because they are luhn valid.
a typical malware who do these false positive and probably the most know: mmon
Alina is one of the most advanced ram scrapper i've see for the moment.
Somone complaining about BlackPOS:
I've more details about why i think deputat is behind, just contact me.