|
Author: Vitali Kremez Here are the following 12 point-of-sample malware samples that were analyzed for indicators of compromise (IoCs): (1) GetMyPass POS Malware (2) Neutrino POS Malware (3) BackOff POS Malware (4) Framework POS Malware (5) Alina POS Malware (6) vSkimmer POS Malware (7) Gorynych DiamondFox POS Botnet (8) PoSeidon POS Malware (9) Dexter POS Malware (10) Lucy TOR POS Malware (11) JackPOS Malware (12) Kaptoxa POS Malware The IoCs include Yara signatures and Sourcefire rules for each particular point-of-sale malware sample listed above. ================================================================= I. GetMyPass POS Malware
(A) Yara Signature: rule POSMalware_Win32_GetMyPassPOS : POS { meta: author = "Vitali Kremez" date = "2015-12-29" description = "Detected GetMyPassPOS Scraper" hash0 = "af13e7583ed1b27c4ae219e344a37e2b" sample_filetype = "exe" strings: $string0 = "logounui.exe" $string1 = " adminpanel.000a.biz/rec.php" $string2 = "chrome.exe" $string3 = "thunderbird.exe" $string4 = "\\\\.\\mailslot\\LogCC" $string5 = "windbg.exe" $string6 = "csrss.exe" $string7 = "pidgin.exe" $string8 = "/%s?encoding=%c&t=%c&cc=%I64d&process=” $string9 = "smss.exe" $string10 = "wininit.exe" $string11 = "firefox.exe" $string12 = "8SVWARASATAUH" $string13 = "SVWARASATAUH" $string14 = "svchost.exe" condition: 14 of them and filesize<18KB } (B) Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" GetMyPass POS Alert”; content: “adminpanel.000a.biz”; “/rec.php”; “77.109.171.155”; “pcre: “/.*(encoding=|\&t=|\&cc=|\&process=).*/”; pcre:”(rec.php)”; classtype: Trojan-activity) II. Neutrino POS Malware (A) Yara Signature: rule POS_Win32_NeutrinoPOS : POS { meta: author = "Vitali Kremez" date = "2015-12-28" description = "Detected NeutrinoPOS Scraper" hash0 = "ccbf7cba35bab56563c0fbe4237fdc41" sample_filetype = "exe" strings: $string0 = ":0:6:<:B:L:Q:u:" $string1 = "ftpte.exe" $string2 = "dwflood" $string3 = "SOFTWARE\\VMware, Inc.\\VMware Tools" $string4 = "7'7F7S7" $string5 = "4e4m4s4y4" $string6 = "document.cookie" $string7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" $string8 = "0000-0000-0000-0000-0000" $string9 = "0.0L0Q0W0" $string10 = "loader" $string11 = "smartftp.exe" $string12 = "DigitalProductId" $string13 = "displayName" wide $string14 = "> >->Z>" $string15 = "22393$7(7,7074787<7" $string16 = "929I9N9S9a9k9" $string17 = "freeftp.exe" condition: 17 of them and filesize<94KB } (B) Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" Neutrino POS Alert”; content: “stormstresser.net" ; “/admin/tasks.php”; “User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0”; pcre:"/.*(ff=|\&host=|\&form=|dumpgrab=|\&track_data=\&process_name).*/"; classtype: Trojan-activity) III. BackOff POS Malware (A) Yara Signature: rule POS_Win32_BackoffPOS : POS { meta: author = "Vitali Kremez" date = "2015-12-27" description = "Detected BackoffPOS Scraper" hash0 = "12c9c0bc18fdf98189457a9d112eebfc" sample_filetype = "exe" strings: $string0 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" $string1 = "/windebug/updcheck.php" $string2 = "81.4.111.176 " $string3 = "\OracleJava\Log.txt" $string4 = "\OracleJava\javaw.exe" $string5 = "GET %s HTTP/1.1Host: %s Connection: close" $string6 = "LANMANNT" $string7 = “SYSTEM\CurrentControlSet\Control\ProductOptions” $string8 = “nUndsa8301nskal” condition: all of them and filesize<77KB } (B) Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" BackoffPOS Alert”; content: “total-updates.com“;”zoom2energy.com”; “/windebug/updcheck.php”; “User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0”; pcre: “/.*(&op=| &id=|&ui=%s&wv=|&gr=|&bv=| ).*/”; pcre: “/.*(/userfiles/fb_sprd6.exe ).*/”; classtype: Trojan-activity IV. Framework POS Malware (A) Yara Signature: rule Backdoor_Win32_FrameworkPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-27" description = "Detected FrameworkPOS Scraper" hash0 = "b57c5b49dab6bbd9f4c464d396414685" sample_filetype = "exe" strings: $string0 = "McTrayErrorLogging.dll” $string1 = "t.bat" $string2 = "scalar deleting destructor'" $string3 = "vector destructor iterator'" $string4 = "SING error" wide $string5 = "Saturday" wide $string6 = "February" wide $string7 = "Runtime Error!" wide $string8 = "urn:schemas-microsoft-com:asm.v1" $string9 = "$char_traits@D@std@@@std@@" $string10 = "Friday" wide $string11 = "http://1389blog.com/pix/molotov-cocktails-usa-ukraine-syria-egypt-libya.jpg" $string12 = ""https://en.wikipedia.org/wiki/List_of_wars_involving_the_United_States" $string13 = "- floating point support not loaded" wide $string14 = "- Attempt to use MSIL code from this assembly during native code initialization" wide $string15 = "C$PjQV" $string16 = "ctfmon.exe" $string17 = "- not enough space for locale information" wide $string18 = "vftable'" condition: 6 of them and filesize<132KB } (B) Sourcefire Rule: alert any $HOME_NET any -> $HOME_NET 389,445 (msg:"Framework POS SMB Alert”; content: “McTrayErrorLogging.dll”; “t.bat”; classtype: Trojan-activity) V. Alina POS Malware (A) Yara Signature: rule Backdoor_Win32_Alina : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-26" description = "Detected Alina BackDoor/Scraper" hash0 = "033aac4079addea23bc4e00833cfa8d4" sample_filetype = "exe" strings: $pdb = “C:\\Users\\Administrator\\Desktop\\New Alina\\alina\\Release\\alina.pdb $string0 = "winfax2.exe" $string1 = " /alinew/loading.php " $string2 = "2.16.840.1.113730.4.1" $string3 = "GetUserObjectInformationW" $string4 = "- Attempt to initialize the CRT more than once." wide $string5 = "address_family_not_supported" $string6 = "InitSecurityInterfaceA" $string7 = "bad file descriptor" $string8 = "firefox.exe" $string9 = "http://" $string10 = "omni callsig'" $string11 = "ntfs.dat" $string12 = "UNICODE" wide $string13 = "no space on device" $string14 = " heretheycome.cc " $string15 = "UTF-16LE" $string16 = " <trustInfo xmlns" $string17 = "Bja-JP" wide condition: 6 of them or any of ($pdb) and filesize<162KB } (B) Sourcefire Rule: alert tcp any any -> any any (msg:" Alina POS Backdoor Alert"; flow:to_server,established; content:”/alinew/cinp.php?cmd=1”; “/alinew/loading.php”;“heretheycome.cc”; “mail.strongboltmail.com”;“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Eagle Special v12”; noncase; pcre: “/.*(alinew)*./; pcre: ”/ .*(cinp.php?cmd=1| loading.php).*/”; classtype: Trojan-activity) VI. vSkimmer POS Malware (A) Yara Signature: rule Backdoor_Win32_vSkimmer_POS : POS_BDR { meta: author = "Vitali Kremez" date = "2015-12-26" description = "Detected vSkimmer POS" hash0 = "53950faf49ccb19b83b786eadedfe591" sample_filetype = "exe" strings: $mutex = “Heistenberg2337” $string0 = "KARTOXA007" $string1 = “dmpz.log" $string2 = "August" $string3 = "www.wrotjywvpzpwectb.in" $string4 = "$basic_ofstream@DU" $string5 = "alg.exe" $string6 = "FDPjGS" $string7 = "gjP$k-" $string8 = " SOFTWARE\Microsoft\Windows\CurrentVersion\Run" $string9 = "User-Agent: PCICompliant/3.33" $string10 = "F\\PjMS" $string11 = "Ezeb]z" $string12 = "j h (B" $string13 = "spanish-peru" $string14 = "UTF-16LE" $string15 = "$basic_streambuf@DU" $string16 = "pL $T," $string17 = "This indicates a bug in your application." wide condition: 6 of them and all of ($mutex*) and filesize<225KB } (B) Sourcefire Rule: alert tcp any any -> any any (msg:" vSkimmer POS Backdoor Alert"; flow:to_server,established; content:”/api/process.php?xy=”; “www.wrotjywvpzpwectb.in”; “mumbaibuildersforum.com”; “ucakambulans-tr.com”; "gadahospital.com"; "www.revaengg.com"; "sizinajansiniz.com"; "arslanzeminmakina.com"; "theadhyayana.in"; “www.sanalpetrol.com”; “www.turkteknoloji.net”;"aircharge.in"; “ambulansfabrikasi.com”; “PCICompliant/3.33nt”; noncase; pcre:"/.*(portal1/gateway.php).*/”; pcre: “/.*(?xy=).*/";classtype: Trojan-activity) VII. Gorynych DiamondFox POS Botnet (A) Yara Signature: rule Backdoor_Win32_DiamondFox : Implant { meta: author = "Vitali Kremez" date = "2015-12-23" description = "Detected Gorynych DiamondFox Implant" hash0 = "6b5f4ffa711a2d1e4f27455f6d0f09ad" sample_filetype = "exe" strings: $string0 = "loader.exe" $string1 = "Melt.bat" $string2 = "<Panel>" wide $string3 = "VM_WINXP" wide $string4 = "plugins/keylogger.p" wide $string5 = "</ABox>" wide $string6 = "winmgmts:{impersonationlevel=impersonate}!\\\\.\\root\\$ $string7 = "<Time>" wide $string8 = "MY_PATH" $string9 = "cript.Sleep(2000)" $string10 = "</Boxie>" wide $string11 = "SHELL32" $string12 = "& chr(34)" wide $string13 = "</USB>" wide $string14 = "Shell.Application" wide $string15 = "CUSTOM" wide $string16 = "\\Armory\\" wide $string17 = "C_DATA" condition: 6 of ($string*) and filesize<81KB } (B) a. Sourcefire Rule: alert tcp any any -> any 80 (msg:" DiamondFox Backdoor Alert"; flow:to_server,established; content:"/plugins/keylogger.p"; pcre:"/.*/plugins/.*/"; pcre:"/.*pl=\&slots.*/"; content: "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"; noncase ;classtype: Trojan-activity) (B) b. Sourcefire Exfil Rule: alert tcp any any <> 209.191.187.61 80 (msg: "DiamondFox C2 Connect"; sid: 10002;) VIII. PoSeidon POS Malware (A) Yara Signature: rule POS_Win32_Unskal : POS { meta: author = "Vitali Kremez" date = "2015-12-20" description = "Detected PoSeidon BackDoor/Scraper" hash0 = "0c7631f791c60f79faa1d879056c2e18" sample_filetype = "exe" strings: $pdb = "H:\\WorkNew\\FindStr\\Release\\FindStr.pdb" nocase wide ascii $string0 = "timed out" $string1 = "AR6002" wide $string2 = " delete[]" $string3 = "horticartf.com" $string4 = "CreateSemaphoreExW" $string5 = "sma-se" wide $string6 = "smj-NO" wide $string7 = "IsValidLocaleName" $string8 = "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s" $string9 = "bad exception" $string10 = "_nextafter" $string11 = "omni callsig'" $string12 = "6d6h6l6p6t6x6" $string13 = "DOMAIN error" wide $string14 = "vector copy constructor iterator'" $string15 = "- inconsistent onexit begin-end variables" wide $string16 = "Monday" wide $string17 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) x" $string18 = "horticartf.com" $entrypointOpCode = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? } condition: 6 of ($string*) or any of ($pdb, $entrypointOpCode) } (B) Sourcefire Rule: alert tcp $HOME_NET any -> any 80, 443 (msg: "PoSeidon C2 CONNECT ALERT"; content:"oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s"; "pes13/viewtopic.php"; "dreplicag.ru"; "horticartf.com";"quartlet.com"; "fimzusoln.ru"; "wetguqan.ru"; "kilaxuntf.ru"; "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; noncase; flow: to_server; classtype: Trojan-activity) IX. Dexter POS Malware (A) Yara Signature: rule Backdoor_Win32_Dexter_POS : POS_BDR { meta: author = "Vitali Kremez" date = "2015-12-24" description = "Detected Dexter POS" hash0 = "70feec581cd97454a74a0d7c1d3183d1" sample_filetype = "exe" strings: $string0 = " ModuleReplace.exe" $string1 = "AeE_nVlii_Mi" wide $string2 = " %s\%s\%s.exe " $string3 = "NXx_ChJzU_fSIw" $string4 = " DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" $string5 = "7 7$7(7,7074787<7@7D7H7L7P7T7X7" $string6 = "RenameTest@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z" $string7 = "test1.exe," $string8 = "guypqbuopKlgsqoD" $string9 = "2F2S2_2o2}2" $string10 = "LNr_NZbwwrz_sSQ" $string11 = "> >)>8>>>R>X>h>r>x>" $string12 = "NtQueryInformationProcess" $string13 = " WindowsResilienceServiceMutex" $string14 = "ModuleReplace.exe" $string15 = "82888>8C8d8p8" $string16 = "RenameFortation@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z" condition: 16 of them and filesize<53KB (B) a. Sourcefire Rule: alert tcp any any -> any 80 (msg:" Dexter POS Backdoor Alert"; flow:to_server,established; content:" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”; “fabcaa97871555b68aa095335975e613.com/”; “67b3dba8bc6778101892eb77249db32e.com”;” 815ad1c058df1b7ba9c0998e2aa8a7b4”; “e7bc2d0fceee1bdfd691a80c783173b4.com”; “e7dce8e4671f8f03a040d08bb08ec07a.com”; “7186343a80c6fa32811804d23765cda4.com”; “11e2540739d7fbea1ab8f9aa7a107648.com”; noncase; pcre:"/.*(portal1/gateway.php).*/”; pcre: “/.*(\&cnm=|\&opt=| \&query=|\&spec=|\&ump= |\&unm= |\&val= |\&var=|\&view=).*/";classtype: Trojan-activity) (B) b. Sourcefire Exfil Rule: alert tcp any any <> 193.107.19.165 80 (msg: "Dexter POS C2 Connect"; sid: 10003;) X. Lucy POS Malware (A). Yara Signature: rule Backdoor_Win32_LucyPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-29" description = "Detected LucyPOS Scraper" hash0 = "bc7bf2584e3b039155265642268c94c7" sample_filetype = "exe" $service1 = “Verifone32.exe” $service2 = “mbambservice.exe” strings: $string0 = " rec->input" $string1 = "Tried for %d seconds to get a connection to %s:%d. Giving up." $string2 = " CONN_TYPE_OR" $string3 = " (int)" $string4 = "boolean is wrong length" $string5 = "mp->conf_state " $string6 = "EXTENDED_EVENTS" $string7 = "unsupported content type" $string8 = "weight as exit" $string9 = "lock->locktype " $string10 = "cp->package_window >" $string11 = "opendir" $string12 = "SSLv3 read server key exchange A" $string13 = "Error tokenizing client keys file." $string14 = "OCSP helper" $string15 = "req->socks_version" $string16 = "C;\\$ u" $string17 = "Closing no-longer-configured %s on %s:%d" $string18 = "pb_extremepct" condition: 18 of them and filesize<4.1MB or any of ($service*) } (B) Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" LucyPOS Alert”; content: “http://kcdjqxk4jjwzjopq.onion/d/gw.php”; “http://ydoapqgxeqmvsugz.onion/d/gw.php”; “193.23.244.24”; “171.25.193.9”; “195.154.127.246”; “188.40.37.200”; “\x16\x03\x0”; “pcre: “/.*(page=|\&ump=|\&ks=|\&opt=|\&unm=|\&cnm=|\&view=|\&spec=|\&query=|\&val=|\&var=|\&response=).*/”; classtype: Trojan-activity) XI. JackPOS Malware (A) Yara Signature: rule Backdoor_Win32_JackPOS : SCRP { meta: author = "Vitali Kremez" date = "2015-12-22" description = "Detected JackPOS Scraper" hash0 = "aa9686c3161242ba61b779aa325e9d24" sample_filetype = "exe" strings: $pdb1 = “\\ziedpirate.ziedpirate-PC\\” $pdb2 = “\\sop\\sop\\” $string0 = "/post/download" $string1 = "jusched.exe" $string2 = "17/[7PMP" $string3 = "no such8v" $string4 = "something" $string5 = "&t1=" $string6 = "mac=" $string7 = "6(7N7Y7{7" $string8 = "m6w;{p" $string9 = " <security>" $string10 = "064686<6@6D" $string11 = "0N1qSWm" $string12 = "dDh-)$" $string13 = "B(0uuy" $string14 = "48.k6lb" $string15 = "tIQ$wIF" $string16 = "1 1-1O1Y1c1v" $string17 = "mG{/_v" condition: 6 of them or uint16(0) == 0x5A4D and 1 of ($pdb*) and filesize<135KB } (B) Sourcefire Rule: alert tcp any any -> any 80 (msg:"JackPOS Activity Detected"; flow:to_server,established; content: "priv8darkshop.com"; "/post/echo HTTP/1.1"; "User-Agent|3A|something"; "/post/download"; pcre: "/mac=.*(\&t1|&t2).*/"; noncase; flow: to_server; classtype: Trojan-activity) XII.Kaptoxa POS Malware (A) Yara Signature: rule POS_Win32_Kaptoxa : POS { meta: author = "Vitali Kremez" date = "2015-12-21" description = "Detected Kaptoxa BlackPOS/Scraper" hash0 = "ce0296e2d77ec3bb112e270fc260f274" sample_filetype = "exe" strings: $fmt = "data_%d_%d_%d_%d_%d.txt" $pdb = " z:\\Projects\\Rescator\\MmonNew\\Debug\\mmon.pdb" nocase wide ascii $string0 = "GOTIT" $string1 = ".memdump" $string2 = "a_env.c" $string3 = "Colombia" $string4 = "South Africa" $string5 = "stdenvp.c" $string6 = "KAPTOXA" nocase wide $string7 = "_heapchk fails with unknown return value" $string8 = " Data: <%s> %s" $string9 = "_freebuf.c" $string10 = "c:\\program files\\microsoft visual studio .net 2003\\$ $string11 = "$basic_ostream@DU" $string12 = "GetModuleInformation" $string13 = "Warning" $string14 = "initnum.c" $string15 = "_filbuf.c" $string16 = "_CrtDbgReport: String too long or IO Error" $string17 = "(%d) : " $string18 = "initctyp.c" condition: 6 of ($string*) or any of ($pdb, $fmt) and filesize<265KB } (B) a. Sourcefire Rule [source: securityintelligence.com]: alert tcp any any -> any 445 (msg:"KAPTOXA File Write Detected"; flow:to_server,established; content:"SMB|A2|"; content:"\\|00|W|00|I|00|N|00|D|00|O|00|W|00|S|00|\\|00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00|\\"; pcre:"/.*_.*_.*_.*\.|00|t|00|x|00|t/"; flowbits:set,kaptoxa; sid:1;) (B) b. Sourcefire Rule [source: securityintelligence.com]: alert tcp any any -> any 445 (msg:"KAPTOXA Encoded Track Data Detected"; flow:to_server,established; flowbits:isset,kaptoxa; content:"SMB"; pcre:"/(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)/"; sid:2;) (B) c. Sourcefire Exfil Rule [source: crowdstrike.com] alert tcp any any <> 199.188.204.182 21 (msg: "KAPTOXA Exfil C2"; sid: 10001;) alert tcp any any <> 50.87.167.144 21 (msg: "KAPTOXA Exfil C2"; sid: 10002;) alert tcp any any <> 63.111.113.99 21 (msg: "KAPTOXA Exfil C2"; sid: 10003;)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |
RSS Feed
