🔰Alina
is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system Once executed, it gets installed on the user's computer and checks for updates. If an update is found, it removes the existing Alina code and installs the latest version. Then, for new installations, it adds the file path to an AutoStart runkey to maintain persistence. Finally, it adds java.exe to the %APPDATA% directory and executes it using the parameter alina=<path_to_executable> for new installations or, update=<orig_exe>;<new_exe> for upgrades Alina maintains a blacklist of processes, if there is no process information in the blacklist it uses OpenProcess() to read and process the contents in the memory dump. Once the data is scraped Alina sends it to C&C servers using an HTTP POST command that is hardcoded in binary
🔰Dexter
is a computer virus or point of sale malware which infects computers running Microsoft Window It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.
🔰VSkimmer
Vskimmer scrapes the information from the Windows system by detecting the card readers attached to the reader and then sends the captured data to the cyber criminal or control server
🔰BlackPOS
or Interprocess communication hook malware is a type of point-of-sale malware or spyware program which was specifically designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards.[1][2] This is very different from the normal memory-scraping malware that scrapes all the data and needs filters to extract the target dataThis specifically hooks into the track information, thus it is called an interprocess communication hook. Once this malware gets installed it looks for the pos.exe file in the system and parses the content of the track 1 and track 2 financial card data.[3][4] The scraped data is then encoded with a base64 algorithm and stored to the magnetic strip on the back of the card. The encoded data is then moved to the second machine through SMB
🔰Jackpos
Overall, this sample is quite simplistic and straightforward. When initially run, the malware will install itself to a subdirectory within %APPDATA%. It then performs memory dumping with a blacklist approach that was previously encountered in the Alina malware family . The malware family exfiltrates its data via a simple POST request and does not perform any encryption. Instead, sensitive data is encoded with the Base64 algorithm. Additionally, the malware has simplistic command and control (C&C) capabilities, which allow the attacker to execute commands on the victim machine, re-install the malware, or stop JackPOS remotely.
🔰Treasure hunt
TreasureHunt was custom-built by a particular hacker group selling stolen credit card data. This malware exploits stolen or weak credentials in order to install itself onto the device and targets retailers still using the older swipe systems. TreasureHunt then extracts credit card data from the device’s memory and sends it to the command and control server
The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server.
When payment card data is found, it is sent back to the CnC server using:
POST /gate.php?report=trueThe data sent back contains the following tags:
report=<encoded_track_data>&id=<encoded_data>
The operators control the compromised systems and harvest stolen payment card information through a web interface located on the CnC server.
No comments:
Post a Comment