Wednesday, 4 December 2013

Win32/Spy.POSCardStealer.O and unknown POS Sniffer

Finally some new stuff (hmm, no)
Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.
It's pretty lame but let's see it anyway.

On the first procedure the malware will register a reg key in HKLM with 'HDebugger'

And start to search for track2:

Then he call the C&C (hoqou.su/forum.php):
• dns: 1 ›› ip: 62.173.149.140 - adresse: HOQOU.SU

Do a sleep of 120000 ms (2 minutes):

And redo into the track2 research procedure.
When finaly something is found the malware took the PID of the program, the process name and the mem adress:
Then he send it to the C&C...

POST req example:
%5BPID%201224%20%28MSR.exe%29%5D%0D%0A%20ADDR%20000B2F90%3A%20%224111111111111111%3D13071010000000000666%22%0D%0A%5BEOF%5D%0D%0A

This malware can't receive orders, and don't have a special mechanism.
On another sample, i've found another domain: rolex216.8s.nl/go/go.php
• dns: 1 ›› ip: 41.223.53.155 - adresse: ROLEX216.8S.NL

This malware was downloaded from a downloader who now download another malware who brute force wordpress sites (maybe i will talk about this one soon).

Still with POS Malware a 'new' threat (Detected only with generic signatures) appeared.
https://www.virustotal.com/fr/file/746cb8cf77b0b00f14c424731948d8fc13378978d193d75f944b12c25e98e0e2/analysis/1376958328/
I got this sample since august from a guys who found this on his POS systems.
In 3 months there is still no one who have do an accurate signature.

At first he will create two directories 'System\Hidden' inside %APPDATA%\Microsoft\Windows

Do a directory test to know from where the executable is launched:

Copy the EXE and launch the copy:

A registry key "Svchost-Windows-Redquired" is created for persistence

Enter in a procedure to remove the original file:
/c del C:\DOCUME~1\ADMINI~1\Bureau\svchost.exe >> NUL
And as excepted send a exit code just after...

So what's do the fresh copy inside the 'good' folder ?
Firstly he take the jump due to the directory test.

On the procedure he will compute a string based on GetSystemFileTime, then he start to enumerate process.
He will open them one by one, read the memory and look for track 2 in a subroutine.
Usual stuff.
They search by partern from the second part of tracks 2 '=13' '=14' '=15' etc..

A file 'Sys.dll' is created:
timestamped with
(encoded)
And wrote:

Do a sleep of 450000 ms (7 1/2 minutes)

if a dump is found the dump is encoded:
And wrote in Sys.dll.

Then they are sent one by one to the C&C:

http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/?update=daily&random=563245325050324532495458495358
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/redirect.php
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/website.php
5.9.96.235
The md5 hash '8edf4bc26f9c526ff846c9068f387dac' is 'zabeat'

2 comments:

  1. Can you send this sample to info@payload-security.com? We would be very interested in analyzing the sample to see if "StaticStream - A Hybrid Analysis Engine for x86 Assembly" (see www.payload-security.com for details) can produce the same results.

    ReplyDelete
  2. You really should read this review of mSPy if you always wanted to get your hands on some good spyware to monitor your family

    ReplyDelete