Security News

BlackPOS: Targets Point Of Sale Malware Version 2

By

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: BlackPOS.B actively spreading in the wild. This is the new Variant of Popular Target Data Breach Gav: BlackPOS.A last December as well as the breach at Home Depot earlier this month.

These variations have been seen as far back as February 2013 and continue to operate as September 2014. BlackPOS malware typically has the capability such as scraping memory to retrieve Credit Card Data more efficiently by ignoring specific processes during its scan.

Infection Cycle:

Md5: b57c5b49dab6bbd9f4c464d396414685

The Trojan adds the following files to the system:

%SystemRoot%t.bat [Executable Bat file]

%SystemRoot%McTrayErrorLogging.dll [Contains Data scrapped from memory]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmcfmisvc

The Trojan has the multi command Functions such as following arguments:

Usage: -[start|stop|install|uninstall]

The Trojan has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:

The dropper t.bat copies the contents of McTrayErrorLogging.dll to t:tempdotnetNDP45-KB2737084-x86.exe. Its used Net Commands on Cmd.exe to open a shared machine using a specific user to transfer the file. It contains the following commands:

POS Memory Scraping:

BlackPOS retrieve all processes lists; one of the injected malicious code threads is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software, for enumerate POS process attackers uses API functions calls such as following APIs list:

  • CreateToolhelp32Snapshot
  • Process32First
  • Process32Next
  • OpenProcess
  • ReadProcessMemory

Here is an Example of Credit Card Number Captured by Malware

Here is Encrypted data format saved into McTrayErrorLogging.dll

The Malware contains URL links referring to the United States involvement in political conflicts around the world

Command and Control (C&C) Traffic

BlackPOS has the C&C communication over port 445. Uses requests to statically defined IP/Domains are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • BlackPOS.B
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Google Sites are being abused by Grandoreiro banking trojan to host its C&C server address
VMware Workspace ONE Access & Identity Manager (vIDM) RCE Vulnerability
Bot with possible Chinese origins and Taliban lure (July 27, 2012)
Whycry Ransomware Spotted in the Wild
Obama Speech Trojan (Nov 5, 2008)
Spam campaign roundup: The Independence Day Edition (July 3, 2014)
OpenSSL Multiple Vulnerabilities (Feb 10, 2017)
Dropper Trojan leaks user data (May 30, 2014)