1/11 vSkimmer, Another POS malware xylibox.com/2013/01/vskimmer.html When i've view this post, content was already removed and member Banned. vSkimmer - Virtual Skimmer Functions: - Track 2 grabber - HTTP Loader (Download & Execute) - Update bot itself Working Modes: - Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel. - Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it. Server coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. ) Client coded in C++ no dependencies, 66kb, cryptable. (can be customized) http://www.xylibox.com/2013/01/vskimmer.html http://2.bp.blogspot.com/-idcOZvVXH_0/UOwdxUu2JlI/AAAAAAAAOpc/IJWAQ7szqEg/s1600/08-01-2013+14-22-55.png 2/11 The malware check the presence of debugger: Get PC details (OS,Computer name, GUID for identify you in the POS botnet, etc..) http://4.bp.blogspot.com/-lti0o_KvEI4/UPMPKj_Si5I/AAAAAAAAPXE/V0lSaGK0Ue4/s1600/SaW8H.png http://4.bp.blogspot.com/-TIffHZKKXNM/UPMPBp7bOJI/AAAAAAAAPW8/TStcHw6mbBU/s1600/OpOZp.png http://4.bp.blogspot.com/-E_vo20bQAu8/UPMOqXEOYGI/AAAAAAAAPW0/ZgDNNbkj_uo/s1600/ijnhI.png http://2.bp.blogspot.com/-GHATA6F24R8/UOwt7-dFqbI/AAAAAAAAOq4/-q0AUF-OzCg/s1600/08-01-2013+15-12-02.png 3/11 Check if the file is executed from %APPDATA% if not add registry persistence, firewall rule, make a copy and execute the copy: Detail of the registry persistence: Firewall rule to allow the malware: http://2.bp.blogspot.com/-zVOZ4gJiRP0/UOwy4_1uMuI/AAAAAAAAOsU/0-V4-5tsACc/s1600/08-01-2013+15-53-07.png http://4.bp.blogspot.com/-WxIEdeUeCNo/UOw0WqU0TTI/AAAAAAAAOtw/hw8hJZwZhio/s1600/08-01-2013+15-59-13.png http://4.bp.blogspot.com/-ox8sMW005YY/UOw7hdnkEKI/AAAAAAAAOwo/5_fVm21UAOU/s1600/08-01-2013+16-29-57.png 4/11 Create a mutex, thread and get host information: Check for process: Some are whitlisted: "System", smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe, spoolsv.exe, wscntfy.exe, alg.exe, mscorsvw.exe, ctfmon.exe, explorer.exe: http://3.bp.blogspot.com/-KgCzHhSxik8/UOxdvxfB25I/AAAAAAAAO94/33d4ecrcn0A/s1600/08-01-2013+18-55-47.png http://3.bp.blogspot.com/-R-JasW_Qs6M/UOw5QAWgrWI/AAAAAAAAOvM/J4_nQpF5L1w/s1600/08-01-2013+16-20-42.png http://4.bp.blogspot.com/-gUdBkvcfmgA/UOw9EPgErWI/AAAAAAAAOyE/2x7DHiV3nBk/s1600/08-01-2013+16-35-12.png http://2.bp.blogspot.com/-1K7xLSmnTiE/UOw-vJAFusI/AAAAAAAAOzg/Sn3Q9QVPqak/s1600/08-01-2013+16-44-11.png 5/11 And when finally a process is found: Read the process and search for pattern: If nothing found: Get infos, Base64 and call the gate via GET request: Answer: http://3.bp.blogspot.com/-QQBWx7PUcv4/UOw_7vqIddI/AAAAAAAAO08/G0BXYal1Bu8/s1600/08-01-2013+16-47-33.png http://3.bp.blogspot.com/-WptxZARWbVo/UOxQTeZM5OI/AAAAAAAAO30/P1Gmf9ybr2k/s1600/08-01-2013+17-59-01.png http://2.bp.blogspot.com/-0Ncthnrx71Y/UOxpugZUhII/AAAAAAAAPDo/urAQDIgg3NA/s1600/08-01-2013+19-46-47.png http://3.bp.blogspot.com/-9axig-A_Le0/UOxNO7Zra_I/AAAAAAAAO2Y/b8khNhf3EFU/s1600/08-01-2013+17-45-11.png 6/11 • dns: 1 ›› ip: 31.31.196.44 - adresse: WWW.POSTERMINALWORLD.LA Parse the answer: Answer is reduced to first 3 letters and compared with 'dlx' (Download & Execute) and 'upd' (Update) if one of these are found that mean the bad guys send us an order. For example dlx: http://3.bp.blogspot.com/-oz3qHbRr4h0/UOxUpGSkyWI/AAAAAAAAO5Q/b-cBX9yeu58/s1600/08-01-2013+18-17-12.png http://2.bp.blogspot.com/-Ft0NpGVT24E/UOxVBgKJulI/AAAAAAAAO5Y/YABujjO-hVY/s1600/08-01-2013+18-19-17.png 7/11 Order is executed and a response is send to the server: The part i love with pos malware: Or just a simple ";1234567891234567=12345678912345678900?" in a txt but it's more gangsta to swipe a card. So the algo detect the pattern, the track2 is encoded to base64 http://2.bp.blogspot.com/-9wTQdtGdvb4/UOxZgkxUQ4I/AAAAAAAAO8Q/6NplfJlCQBE/s1600/08-01-2013+18-38-23.png http://3.bp.blogspot.com/-7Ptx0QCl5es/UOxX0xgINYI/AAAAAAAAO60/B1hIqPeXOS4/s1600/08-01-2013+18-30-55.png http://1.bp.blogspot.com/-6DST-Flh9dQ/UO2cOD7KAyI/AAAAAAAAPLA/GvkcXnQkMkA/s1600/09-01-2013+17-34-27.jpg 8/11 And sent to the panel: Now for the offline mode, get drive: The flash drive must be named "KARTOXA007" (dumps in russian) http://2.bp.blogspot.com/-ZrmY5isAd3k/UOxw5uVVBnI/AAAAAAAAPFE/w49Zk8wsVKE/s1600/08-01-2013+20-18-05.png http://2.bp.blogspot.com/-2nfdzOAhPRo/UOxm29TmZzI/AAAAAAAAPCM/BEkPBSv492Q/s1600/08-01-2013+19-34-41.png http://1.bp.blogspot.com/-RkSL-AvS3G8/UOxyWmHgH_I/AAAAAAAAPGg/80_8Tu5HRNs/s1600/08-01-2013+20-24-14.png 9/11 Create dmpz.log: Now let's have a look on the panel: POS Terminals: http://3.bp.blogspot.com/-3-ld5k_OWUY/UOx1mBKlH3I/AAAAAAAAPH8/BQFv4rXX1kc/s1600/08-01-2013+20-37-43.png http://2.bp.blogspot.com/-DF303FeOGy4/UOx2mTMwAYI/AAAAAAAAPII/sM3LU0Bft08/s1600/08-01-2013+20-41-47.png http://2.bp.blogspot.com/-AFMTfy56fps/UOx7nCZK4uI/AAAAAAAAPJk/hHee6snZatI/s1600/08-01-2013+21-03-34.png http://2.bp.blogspot.com/-0MVL_85Z0g8/UO2iLaa8jbI/AAAAAAAAPMg/IcMNP0jvEk4/s1600/09-01-2013+18-00-31.jpg 10/11 Dump download: Commands: Settings: http://3.bp.blogspot.com/-RNZPDx0FNzk/UO2istiy-mI/AAAAAAAAPMo/stKTS2jer3s/s1600/09-01-2013+18-01-28.jpg http://3.bp.blogspot.com/-GKBfmgb-o_g/UO2jaoUC3yI/AAAAAAAAPNA/DpXjv64W30U/s1600/09-01-2013+18-05-32.jpg http://2.bp.blogspot.com/-a48CEWoxIuc/UO2i7p95LoI/AAAAAAAAPMw/uhcwexAgfqA/s1600/09-01-2013+18-03-53.jpg 11/11 Dumped.. :) Sample: https://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae4463 4ee559da91bc0/analysis/1358237597/ Unpack: https://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c0 1a1a96532ca3/analysis/1358238314/ Thanks Zora for the sample :) http://2.bp.blogspot.com/-sAx8co5b2_A/UO2jFE9bTMI/AAAAAAAAPM4/J6xD8HFX5VU/s1600/09-01-2013+18-04-27.jpg http://4.bp.blogspot.com/-sHP_MdmCDc0/UQLc49XqhPI/AAAAAAAAQpI/ZQELMq1OuME/s1600/25-01-2013+20-28-22.png https://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/1358237597/ https://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3/analysis/1358238314/