Finally some new stuff (hmm, no)
Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.
It's pretty lame but let's see it anyway.
On the first procedure the malware will register a reg key in HKLM with 'HDebugger'
And start to search for track2:
Then he call the C&C (hoqou.su/forum.php):
Do a sleep of 120000 ms (2 minutes):
And redo into the track2 research procedure.
When finaly something is found the malware took the PID of the program, the process name and the mem adress:
POST req example:
This malware can't receive orders, and don't have a special mechanism.
On another sample, i've found another domain: rolex216.8s.nl/go/go.php
• dns: 1 ›› ip: 126.96.36.199 - adresse: ROLEX216.8S.NL
This malware was downloaded from a downloader who now download another malware who brute force wordpress sites (maybe i will talk about this one soon).
Still with POS Malware a 'new' threat (Detected only with generic signatures) appeared.
I got this sample since august from a guys who found this on his POS systems.
In 3 months there is still no one who have do an accurate signature.
At first he will create two directories 'System\Hidden' inside %APPDATA%\Microsoft\Windows
Do a directory test to know from where the executable is launched:
Copy the EXE and launch the copy:
A registry key "Svchost-Windows-Redquired" is created for persistence
Enter in a procedure to remove the original file:
And as excepted send a exit code just after...
So what's do the fresh copy inside the 'good' folder ?
Firstly he take the jump due to the directory test.
On the procedure he will compute a string based on GetSystemFileTime, then he start to enumerate process.
He will open them one by one, read the memory and look for track 2 in a subroutine.
They search by partern from the second part of tracks 2 '=13' '=14' '=15' etc..
A file 'Sys.dll' is created:
Do a sleep of 450000 ms (7 1/2 minutes)
if a dump is found the dump is encoded:
Then they are sent one by one to the C&C:
The md5 hash '8edf4bc26f9c526ff846c9068f387dac' is 'zabeat'