Showing posts with label mmon. Show all posts
Showing posts with label mmon. Show all posts

Friday, 7 December 2012

Point-of-Sale and memory scrappers

I got access to a compromised POS recently (thanks Zora)

POS Designer:

POS interface (password protected)

The guys who hacked it first leaved alot of traces... gentlemen i present to you... rome0/Amnesia

For the story, rome0 is a French carder, you can read a repport about him here: http://trackingcybercrime.blogspot.fr/2012/05/inside-french-cybercriminel.html


The TO TXT.exe file is interesting
iZER0x... hmm yes i've already see this.
*\AC:\Users\iZER0x\Desktop\supern0va\france\Project1.vbp
*\AC:\Users\iZER0x\Desktop\shitz\PickPockeT\bot\xD\New Folder\Project1.vbp

More strings:
This file is actually a downloader/dropper for rdasrv but the site look's dead.
vcc-vba.com/a.dll
vcc-vba.com/x.exe

scumware.org have an hash for x.exe
That was not really hard to find i even already posted it on a forum.

After searching the sample no surprise... rdasrv.

vcc-vba advert:

I will not explain you the life about how rdasrv work, Sophos guys already expalained it here:
http://nakedsecurity.sophos.com/2011/11/30/targeted-attacks-steal-credit-cards-from-hospitality-and-educational-institutions/


ESET is broken on the compromised system:

"I got access to a teller machine"

"Still Looking URL from RDP website"

"need Hacker with good knowledge into Pos malware/Decrypting Pos"

You can also view mmon.exe, file is the same as my previous post about POS malware:
http://www.xylibox.com/2012/03/pos-carding.html

Some logs was saved.


dbgview log (at first i've not understand why DebugView was here):

Task scheduler:
Probably used to run a ram scrapper each x mins.

mm1.exe is one of these ram scrappers found, first time i see this one.

Algo to detect track2:


Show the track2 in console:



CBTools:

I've found also a good ram scrapper named 'mm_bot.exe' probably a custom piece.
When run, it copy himself in %APPDATA%/Google/svchost.exe add registry persistance (HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load), run the copy and melt the original file then it read process for track2, get pc infos encode everything with a lame key and send that to a server.
(sad, server is dead)
Everything hidden but infos are show via OutputDebugStringW, at first i've not understand why i've found debugview but now it's clear for me.


Get username/pc name:

Scan process


Track2 grab:

Encode grabbed data

 Send dumps via POST req to 109.75.176.63/forum/post.php

AV seem don't know it, 3/45 all generic according to VirusTotal: https://www.virustotal.com/file/bea36957edeab025bdad5a04daa317f913212103a2bde608529ea18d978e7d45/analysis/1354666164/

RAM scrapers are used mainly to supply carding shops and costs from 100$ to 3000$ depending on features.
If you looks for samples: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1756



Posted by at 09:54 11 comments
Labels: , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)