Abaddon POS malware targets PoS terminals
The Dell Sonicwall Threats Research team observed reports of a new POS family named GAV: Abaddon.POS actively spreading in the wild. Abaddon POS malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image001.png)
Infection Cycle:
Md5:
-
5bf979f90307bac11d13be3031e4c6f9 Detected as GAV: Abaddon.POS (Trojan)
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
-
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
-
Chrome”=”%Userprofile%Malware.exe
-
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image002.png)
Abaddon POS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image003.png)
The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:
-
CreateToolhelp32Snapshot
-
Process32First
-
Process32Next
-
OpenProcess
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image004.png)
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image005.png)
Here is an example of scraping the memory by malware:
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image006.png)
The malware tries to verify Credit Cards and then sends this information in encrypted format to one of the given C&C Servers such as following domains:
-
91.234.34.44
-
50.7.138.138
-
149.154.64.167
-
5.8.60.23
-
176.114.0.165
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image007.png)
Command and Control (C&C) Traffic
Abaddon POS performs C&C communication over port 20970.
The malware sends your Credit Card information to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image008.png)
![](http://software.sonicwall.com/gav/Abaddon.POS_files/image009.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
-
GAV: Abaddon.POS
-
GAV: Abaddon.POS_2
Here is a list of samples we identified:
-
0c77886a3ea42b75fcd860d4d97e72c5
-
1c02f2f3fa15cc6a472119389d25983e
-
1c2a757c63ee418135e89cc8ef0d6e63
-
2b3704e0acbcbc265d0d08502a9bf373
-
3a7ac0c907b2c406ab480d4ed2f18161
-
3f71031ce8ecb0f48847ccb8be86a5fe
-
47e5c290f3f443cca027aa344cbf194f
-
4b86cbb2e9f195bef3770d877206068d
-
54f1cda856ae921846e27f6d7cc3d795
-
6ee164908a94a881032d0649e2bd2505
-
6f7fabeb9ce76a1d52dbf5a40cbc74e8
-
77f124332a17b3ef6c0b6a799ad0c888
-
7b7ffdd46d1f7ccea146fd9d5a2412ae
-
7c69dc17977b3431ff15c1ae5927ed0d
-
7eddbf17a3d1e398621194b0f22402a7
-
885829081f91c6baf458166c3f42e281
-
89a19ccb91977d8b1a020f580083d014
-
8d6d7a7d77215370d733bda57ef029f4
-
8df542e35225e0708cd2b3fe5e18ac79
-
9320175f8af07503a2b2eb4d057bac07
-
9b340ac013c052ffb2beb29d26009a24
-
a1d1ba04f3cb2cc6372b5986fadb1b9f
-
a3ea1a008619687bdfef08d2af83f548
-
a53d8212a47bf25eeca87c1e27042686
-
a7a666ab9548fd1f0a8eb8050d8ca483
-
a9cc6736e573ad9e77359062e88114e2
-
aaac35389c9be79c67c4f5c4c630e5d5
-
b3a057f55a8fa2aad5b8d212a42b4a88
-
bcf271e83c964eb1fd89e6f1a7b7a62f
-
c42f20e2a68b8829b52b8399b7b33bf2
-
d785592932323f6ddaa121bcdcbceba0
-
e08aeb0bfcbae33b851af9f8be413111
-
e92254f9ce7d6f45e907e77de146ef37
-
ec322598eec364a755b5aea70d2a2da8
-
5bf979f90307bac11d13be3031e4c6f9
-
a168fef5d5a3851383946814f15d96a7
-
a55843235cd8e36c7e254c5c05662a5b
-
1c19494385cb21b7e18252b5abd104f6
-
2b58f7cb4df18509a743226064b30675
-
752dcae6eb492263608a06489546098f
-
976275965fcf19a98da824b1959500c1
-
227e6b1f3e66f00a4fc683d4f39da904
-
8ca1278e2821fd2dd19c28725f754577
-
ac03e0e9f70136adede78872e45f6182
-
12cd4df2264624578919596371edee81
-
317f9c57f7983e2608d5b2f00db954ff
-
f63e0a7ca8349e02342c502157ec485d
-
0900582ba65c70a421b5d21d4ed21f16
-
4b0db5398f02dae5315f0baff1475807
-
703f492b2624899ec47b929f65265bbb
-
5e33b1273b2e2d4cd0986b9873ab4bc4
-
d11c4a4f76b2bea502b80229a83c30bc
-
e50edb61e796c6ead88cac53719e2d00
-
dc1a975e20eca705c6c78dc24f1290b5
-
6a6977ea317f0240a3dacc0753257518
-
5e06563f6303eab10c3cd46f0fd5c2d6
-
7ef654cdc7c2b54772400e26eb292caf
-
946be7ddd511ff9f49b5073896346eab