{
	"id": "dd736da9-9b5e-44f1-8369-2dde3fd8adc8",
	"created_at": "2026-04-06T00:14:54.496711Z",
	"updated_at": "2026-04-10T03:20:16.873598Z",
	"deleted_at": null,
	"sha1_hash": "65b3b7cfae27172ea014f2022ee4899f2dd9645b",
	"title": "Threat Spotlight: Holiday Greetings from Pro PoS – Is your payment card data someone else’s Christmas present?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 985226,
	"plain_text": "Threat Spotlight: Holiday Greetings from Pro PoS – Is your\r\npayment card data someone else’s Christmas present?\r\nBy Earl Carter\r\nPublished: 2015-12-17 · Archived: 2026-04-05 14:54:53 UTC\r\nThursday, December 17, 2015 11:23\r\nThe post was authored by Ben Baker and Earl Carter.\r\nPayment cards without an EMV chip have reached their end-of-life. Point of Sale (PoS) malware, such as\r\nPoSeidon, has continued to threaten businesses. The news is continually filled with stories of payment card data\r\nbeing stolen through a breach in the company’s PoS system. From high-end hotels to large retail firms, threat\r\nactors are attacking PoS systems in the attempt to capture payment card data. PoS Malware is just another threat\r\ncategory that Talos is monitoring and developing defenses against. In this post, we will examine the functionality\r\nof Pro PoS so that you can better understand how this malware can be used to exfiltrate payment card information\r\nand potentially other valuable information from your network.\r\nBeginning in October, merchants in the United States were required to use PoS terminals that provide support for\r\nchip-enabled cards or otherwise risk liability for fraudulent charges. These new chip-enabled readers help\r\nminimize the chance for PoS malware to steal payment card information because the chip on the payment card\r\ngenerates a single use token. This transition, however has been bumpy at best because the cost of new chip-enabled readers has made it difficult to upgrade to the newer readers. Another loophole is that gas stations have a\r\ndifferent timeline and are not required to move to chip-based readers until October 2017. These two factors mean\r\nthat many establishments still rely on card readers that are not chip-enabled and sending payment card data that\r\ncan be duplicated and reused.\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 1 of 9\n\nPro PoS is simple-to-use PoS malware that is available for purchase, enabling multiple threat actors to easily take\r\nadvantage of this malware to target businesses. The functionality of Pro PoS seems fairly extensive according to\r\nrecent press releases. These claims include the following:\r\n1. Tor support\r\n2. Rootkit functionalities\r\n3. Mechanisms to avoid antivirus detection\r\n4. Polymorphic engine\r\nIn order to analyze the actual capabilities of Pro PoS, Talos collaborated with Flashpoint, a pioneer in threat\r\nintelligence from the Deep \u0026 Dark Web. Not all of the claims in the press releases seem to be totally accurate\r\ngiven the Pro PoS version 1.1.5b sample that Talos analyzed. For instance we did not identify any significant\r\nmechanisms to avoid antivirus detection, other than a trivial packer that seemed to be more for compression than\r\nobfuscation. Unless you include tor2web, we did not find support for Tor. We did not find a Polymorphic engine.\r\nAnd finally, we did observe a rootkit being installed but it did not appear to be used by the malware.\r\nClient Software\r\nThe Pro PoS client malware uses a modified version of Alina, which had its source code leaked earlier this year. In\r\nthis version, the malware utilized a simple packer that does not contain any anti-analysis checks. Given the\r\nsimplicity of the packer and the fact that it even leaves some of the string in the binary unaltered, it is likely that\r\nthe packer was meant to simply compress the binary, instead of trying to make the examination of the binary more\r\ncomplicated.\r\nBefore execution, Pro PoS copies itself to “%appdata%\\914785304\\NTProvider.exe”. The folder name is\r\ngenerated by adding the output of rand() to 914785263. The developers failed to initialize the random number\r\ngenerator by calling srand() before calling rand() so the same value will be generated every time that the malware\r\nis run. The malware also reads in the original file, RC4 encrypts it using the password “Password”, then drops it to\r\n“%appdata%\\driver.sys”.\r\nPro PoS injects explorer.exe with shellcode via WriteProcessMemory. The shellcode attempts to open\r\n“%appdata%\\ntkrnl”, then RC4 decrypt it, and write it to %appdata%\\Installed\\windefender.exe. It then uses\r\nShellExecuteA to execute windefender.exe. The Pro PoS variant of the Alina client does not drop a file named\r\nntkrnl, meaning the shellcode will be unable to decrypt and execute a file named windefender.exe.\r\nPro PoS then iterates through running processes checking against a whitelist, spawning new threads dedicated to\r\nmemory scraping each process not in the whitelist. This results in several threads running simultaneously, each\r\nlooking at a different process. The threads use ReadProcessMemory to access the process’s memory to scan\r\nthrough it looking for valid track data like “4012888888881881=18012010123400000000?”. It first looks for the\r\ndelimiter of “=” or “D” that separates the payment card number from the date. It then verifies the delimiter is\r\npreceded by 16 digits, with a valid YYMM date after the delimiter. It checks the 3 digits after the date ensuring the\r\ncard has service codes 201 or 101, which signify the card can be used internationally with no restrictions. It then\r\nuses the Luhn algorithm, which is a checksum used to verify payment card numbers.\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 2 of 9\n\nNetwork traffic uses a 1 byte XOR key (0xAA), with version info, software name, botID, action, and PC name.\r\nThe data after identifying info is XOR’d with an additional 18 byte key derived from other info in the packet.\r\nSample network traffic:\r\nWhen the client connects, the controller can send configuration settings like how often to beacon back, and can\r\neven respond with a URL, which the client will then use to download a file to the victim’s %appdata% path then\r\nexecute.\r\nRootkit Functionality\r\nThis rootkit with PDB path “c:\\drivers\\test\\objchk_win7_x86\\i386\\ssdthook.pdb”\r\nuses SSDT hooks for the following API:\r\nZwQueryDirectoryFile - hide files named “windefender.exe”\r\nZwQuerySystemInformation - hide “windefender.exe” processes\r\nZwEnumerateValueKey - hide registry keys named “windefender”\r\nSSDT hooks are simple to implement, and effective when hiding on a system. Altering the SSDT on newer\r\nversions of Windows (including the 64 bit version of Win7) will trigger patchguard to bugcheck, causing the\r\nnotorious Blue Screen Of Death (BSOD). Fortunately for the malware developers, PoS systems usually aren’t\r\nrunning the latest and greatest versions of Windows. The developers could have used Direct Kernel Object\r\nManipulation (DKOM) which works on newer versions of Windows, but they would still have to bypass driver\r\nsigning.\r\nThis minimalistic rootkit does very little to validate data before using it. It's possible, but unlikely, for\r\npNextEntryOffset to be used before it’s given a valid address, meaning 0x00011098 would use the initialized\r\nvalue of Null. Null Pointer Dereference vulnerabilities like this one are often used in exploits for privilege\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 3 of 9\n\nescalation, though malware with permissions to install drivers do not need to escalate privileges. This bug was\r\nalmost certainly unintended, and could crash the PoS terminal with the Blue Screen Of Death\r\n.text:00011095 mov eax, [ebp+pNextEntryOffset]\r\n.text:00011098 mov ecx, [eax] ; Possible Null Ptr Dereference\r\nMost of the client versions we have examined install the rootkit, but only Joker 1.8 actually uses the filenames and\r\nregistry key names that are hidden. It’s unclear whether the developer forgot to change the rootkit to hide the new\r\nfilenames, or if he intended to sell the rootkit functionality as a premium feature.\r\nOther Alina Client Variants\r\nWe’ve found several variants of the Alina client, all of which are incredibly similar\r\nother than a few string changes. After removing the check for “Pro PoS” in the\r\nuser-agent, our control panel works for the variants we tested. It wasn’t hard to\r\nmake signatures that detect all of the variants we have, both in ClamAV and Snort.\r\nThese variants include\r\n1. Joker 1.8\r\n2. Katrina variant of Alina\r\n3. Two unnamed variants\r\nThe Joker 1.8 variant is the only version that we analyzed that uses the windefender strings that are hidden by the\r\nrootkit. It also incorporates a large number of anti-analysis features including\r\n1. It overwrites the first instruction of “DbgUiRemoteBreakin” and \"DbgBreakPoint\" with the assembly\r\ninstruction “retn” which can interfere with debuggers.\r\n2. Uses the intel instruction “vcpext” to detect if it’s being run in a VM. Checks to make sure the machine has\r\nat least 2 processors. Checks to make sure the system has at least a minimum amount of physical memory.\r\n3. Calls IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugStringA to check for a debugger\r\n(Lol this is trivial compared to the other checks).\r\n4. It creates multiple exceptions that if handled by a debugger will fail a check.\r\n5. It uses GetTickCount to check timing for how long it takes to run a code chunk. If it takes too long, it fails\r\nthe check.\r\n6. It looks for any windows in this list:\r\nOLLYDBG, VBoxTrayToolWndClass, ID, Tokno_konfig, TDiEfrm, MYDEBUG, 259C91A0, 18467-41,\r\nFileMonClass, OWL_Window, HANOLLY, YPOGEiOS, DeFixed, TIdaWindow\r\n1. Any loaded modules in this list:\r\nCmdline.dll, BOOKMARK.DLL, pluzina1.dll, pluzina2.dll, pluzina3.dll, pluzina4.dll, procs.dll,\r\nrealign.dll, 16Edit.DLL, win32_user.plw, win32_stub.plw, linux_stub.plw, wince_stub.plw, mac_stub.plw,\r\nDeviareCOM.dll, Nektra.Deviare2.dll, SbieDll.dll, apimonitor-drv-x86.sys.\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 4 of 9\n\n1. Any running processes in this list:\r\nOLLYDBG.EXE, PEiD.exe, ollydbg.exe, OllyDbg.exe, LordPE.exe, LordPE.exe, ImportREC.exe,\r\nCiM's.exe, DeFixed.exe, YGS-DOX.exe, OllyICE.exe, HanOlly_English.exe, HanOlly.exe,\r\nHanOlly_Korean.exe, W32DSM89.EXE, WinHex.exe, HIEW32.EXE, XVI32.exe, idag.exe, hiew32.exe,\r\nPROCDUMP.exe, FILEMON.EXE, FILEMON.exe, PROCDUMP.EXE, Regmon.exe, ResHacker.exe,\r\nexeinfope.exe, eXeScope.exe, DiE.exe, protection_id.exe, EvO_DBG.exe, SbieCtrl.exe, SpyStudio.exe,\r\nSbieSvc.exe, apimonitor-x86.exe\r\n1. Any registry keys in this list:\r\n2. HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__\r\n3. HKLM\\HARDWARE\\ACPI\\DSDT\\AMIBI\r\n4. It checks for hardware breakpoints by using GetThreadContext on the current thread and checking the\r\ncontents of Context.Dr0 through Context.Dr3.\r\n5. It checks for software breakpoints at the start of any of these APIs:\r\nOutputDebugStringA, Process32Next\r\n1. It checks what permissions it has to the process “services.exe”. If it doesn’t like the permissions, it fails the\r\ncheck\r\nThis is a screenshot of the Pro PoS 1.1.5 Control Panel administering Pro PoS and 3 other Alina variants.\r\nPro PoS Control Panel\r\nThe Control Panel doesn’t use PHP obfuscation, so reversing the network protocol\r\nwas a breeze. One of the PHP files contains a vulnerability that leads to arbitrary\r\nPHP execution. Obviously security wasn’t a major concern when developing this\r\nmalware. The web page contains links to Passwords and Ketlogger  (shown in the\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 5 of 9\n\nimage below), Both of these links simply redirect the user to the home page. These\r\nunsupported pages could possibly point to future features that the threat actor\r\nplans to add to the control panel.\r\nThe Config page allows the controller to force bots to download and execute a file from a URL. This feature\r\nappears to be broken and not updating the mysql table that is read from when commands are sent to the bots.\r\nManually adding entries in the mysql table does work. The PHP seems to be the weakest link in this toolkit.\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 6 of 9\n\nExfiltrated Data in Control Panel\r\nThe login page uses an external image file http[:]//images[.]cooltext[.]com/4465794.png.\r\nAlina Network Client Script\r\nThe network client/CNC use a simple binary protocol over standard HTTP for all\r\nof it’s requests.  The first request is that the HTTP User-Agent must begin with\r\n‘Pro PoS’.  After that, the request’s body is then XOR’ed with the static one byte\r\nkey of 0xAA.  The result will be the common request header followed by further\r\nXOR “encrypted” data and the key to decrypt it.  This lower level is used for the\r\nactual payment card track data as well as notifications to download and execute\r\nfrom specific URLs or simple status updates.\r\nThe following Ruby shows the header format:\r\n# Client version - WORD\r\nmsg = [0x0102].pack('s')\r\n# Software name - NULL padded 16 byte string\r\nmsg \u003c\u003c pad(\"Pro PoS Solution\", 16)\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 7 of 9\n\n# hardware ID - NULL padded 8 byte string\r\nmsg \u003c\u003c pad(\"GwWASP\", 8)\r\n# 2x bytes but it is unclear what it is used for\r\nmsg \u003c\u003c \"EE\"\r\n# Action (update, etc) - NULL padded 8 byte string\r\nmsg \u003c\u003c pad(\"update\", 8)\r\n# PC Name - NULL padded 32 byte string\r\nmsg \u003c\u003c pad(\"WIN7-41424345\", 32)\r\n# Total message size - DWORD\r\nmsg \u003c\u003c [data.size + 123].pack('V')\r\n# A simple checksum of the message header\r\nmsg \u003c\u003c checksum(msg)\r\n# Finally, XOR the rest of the data with the hardware ID + 2 bytes + Action\r\nmsg \u003c\u003c xor(data, xor(msg[18..35]), 18)\r\nFrom here, the data sent in the request is stored directly in the database used by the control panel.\r\nConclusion\r\nPayment cards without EMV chips and businesses who do not yet have chip-enabled PoS terminals have become an unnecessary security risk. As long as PoS\r\nterminals rely on payment data stored in the magnetic stripe, threat actors will\r\ncontinue to invest in innovation and development of new malware families to\r\nexploit this attack vector. Attackers will continue to target PoS systems and employ\r\nvarious obfuscation techniques in an attempt to avoid detection. Since PoS\r\nmalware like Pro PoS is available for purchase, it is even easier for threat actors to\r\nutilize it to steal payment card data.\r\nBusinesses who utilize payment card readers that are not chip-enabled will need to remain extra vigilant and\r\nadhere to industry best practices to ensure coverage and protection against these advancing malware threats,\r\nespecially during the holiday season.\r\nProtecting Users\r\nSnort Rules The following Snort rule will detect Pro PoS.  This rule is subject to change pending new\r\ninformation regarding the threat. Please refer to your FireSIGHT Management Center or the Snort\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 8 of 9\n\nSubscriber Rule Set for the latest rules.\r\n36331\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\nESA can block malicious emails sent by threat actors as part of their campaign.\r\nSource: https://blog.talosintelligence.com/2015/12/pro-pos.html\r\nhttps://blog.talosintelligence.com/2015/12/pro-pos.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2015/12/pro-pos.html"
	],
	"report_names": [
		"pro-pos.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434494,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65b3b7cfae27172ea014f2022ee4899f2dd9645b.pdf",
		"text": "https://archive.orkl.eu/65b3b7cfae27172ea014f2022ee4899f2dd9645b.txt",
		"img": "https://archive.orkl.eu/65b3b7cfae27172ea014f2022ee4899f2dd9645b.jpg"
	}
}