Wednesday 4 December 2013

Win32/Spy.POSCardStealer.O and unknown POS Sniffer

Finally some new stuff (hmm, no)
Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.
It's pretty lame but let's see it anyway.

On the first procedure the malware will register a reg key in HKLM with 'HDebugger'

And start to search for track2:

Then he call the C&C (
• dns: 1 ›› ip: - adresse: HOQOU.SU

Do a sleep of 120000 ms (2 minutes):

And redo into the track2 research procedure.
When finaly something is found the malware took the PID of the program, the process name and the mem adress:
Then he send it to the C&C...

POST req example:

This malware can't receive orders, and don't have a special mechanism.
On another sample, i've found another domain:
• dns: 1 ›› ip: - adresse: ROLEX216.8S.NL

This malware was downloaded from a downloader who now download another malware who brute force wordpress sites (maybe i will talk about this one soon).

Still with POS Malware a 'new' threat (Detected only with generic signatures) appeared.
I got this sample since august from a guys who found this on his POS systems.
In 3 months there is still no one who have do an accurate signature.

At first he will create two directories 'System\Hidden' inside %APPDATA%\Microsoft\Windows

Do a directory test to know from where the executable is launched:

Copy the EXE and launch the copy:

A registry key "Svchost-Windows-Redquired" is created for persistence

Enter in a procedure to remove the original file:
/c del C:\DOCUME~1\ADMINI~1\Bureau\svchost.exe >> NUL
And as excepted send a exit code just after...

So what's do the fresh copy inside the 'good' folder ?
Firstly he take the jump due to the directory test.

On the procedure he will compute a string based on GetSystemFileTime, then he start to enumerate process.
He will open them one by one, read the memory and look for track 2 in a subroutine.
Usual stuff.
They search by partern from the second part of tracks 2 '=13' '=14' '=15' etc..

A file 'Sys.dll' is created:
timestamped with
And wrote:

Do a sleep of 450000 ms (7 1/2 minutes)

if a dump is found the dump is encoded:
And wrote in Sys.dll.

Then they are sent one by one to the C&C:
The md5 hash '8edf4bc26f9c526ff846c9068f387dac' is 'zabeat'

1 comment:

  1. Can you send this sample to We would be very interested in analyzing the sample to see if "StaticStream - A Hybrid Analysis Engine for x86 Assembly" (see for details) can produce the same results.