Wednesday 4 December 2013

Win32/Spy.POSCardStealer.O and unknown POS Sniffer

Finally some new stuff (hmm, no)
Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.
It's pretty lame but let's see it anyway.

On the first procedure the malware will register a reg key in HKLM with 'HDebugger'

And start to search for track2:

Then he call the C&C (hoqou.su/forum.php):
• dns: 1 ›› ip: 62.173.149.140 - adresse: HOQOU.SU

Do a sleep of 120000 ms (2 minutes):

And redo into the track2 research procedure.
When finaly something is found the malware took the PID of the program, the process name and the mem adress:
Then he send it to the C&C...

POST req example:
%5BPID%201224%20%28MSR.exe%29%5D%0D%0A%20ADDR%20000B2F90%3A%20%224111111111111111%3D13071010000000000666%22%0D%0A%5BEOF%5D%0D%0A

This malware can't receive orders, and don't have a special mechanism.
On another sample, i've found another domain: rolex216.8s.nl/go/go.php
• dns: 1 ›› ip: 41.223.53.155 - adresse: ROLEX216.8S.NL

This malware was downloaded from a downloader who now download another malware who brute force wordpress sites (maybe i will talk about this one soon).

Still with POS Malware a 'new' threat (Detected only with generic signatures) appeared.
https://www.virustotal.com/fr/file/746cb8cf77b0b00f14c424731948d8fc13378978d193d75f944b12c25e98e0e2/analysis/1376958328/
I got this sample since august from a guys who found this on his POS systems.
In 3 months there is still no one who have do an accurate signature.

At first he will create two directories 'System\Hidden' inside %APPDATA%\Microsoft\Windows

Do a directory test to know from where the executable is launched:

Copy the EXE and launch the copy:

A registry key "Svchost-Windows-Redquired" is created for persistence

Enter in a procedure to remove the original file:
/c del C:\DOCUME~1\ADMINI~1\Bureau\svchost.exe >> NUL
And as excepted send a exit code just after...

So what's do the fresh copy inside the 'good' folder ?
Firstly he take the jump due to the directory test.

On the procedure he will compute a string based on GetSystemFileTime, then he start to enumerate process.
He will open them one by one, read the memory and look for track 2 in a subroutine.
Usual stuff.
They search by partern from the second part of tracks 2 '=13' '=14' '=15' etc..

A file 'Sys.dll' is created:
timestamped with
(encoded)
And wrote:

Do a sleep of 450000 ms (7 1/2 minutes)

if a dump is found the dump is encoded:
And wrote in Sys.dll.

Then they are sent one by one to the C&C:

http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/?update=daily&random=563245325050324532495458495358
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/redirect.php
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/website.php
5.9.96.235
The md5 hash '8edf4bc26f9c526ff846c9068f387dac' is 'zabeat'

1 comment:

  1. Can you send this sample to info@payload-security.com? We would be very interested in analyzing the sample to see if "StaticStream - A Hybrid Analysis Engine for x86 Assembly" (see www.payload-security.com for details) can produce the same results.

    ReplyDelete