{
	"id": "3bddf7bb-1491-4c40-8d5f-d04fb008554f",
	"created_at": "2026-04-06T00:19:09.18805Z",
	"updated_at": "2026-04-10T03:34:24.162139Z",
	"deleted_at": null,
	"sha1_hash": "d50c6b80ce0ea0898d6dcd5980270a4bb36a9278",
	"title": "Fuel Pumps II – PoSlurp.B – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 806633,
	"plain_text": "Fuel Pumps II – PoSlurp.B – One Night in Norfolk\r\nPublished: 2019-12-31 · Archived: 2026-04-05 16:44:10 UTC\r\nIn a previous post, this blog examined malware used in a financially-motivated incident at a fuel dispensing\r\ncompany, as disclosed in a security bulletin by VISA. The bulletin detailed a second incident that is likely\r\nattributable to an additional threat actor. Specifically, VISA identified C2 infrastructure, a filename, and additional\r\nTTPs that allegedly align with FIN8 activity, as described in public Gigamon and Root9b reporting. These TTPs\r\nsuggest that the threat actors used a memory scraper referred to as PoSlurp.B in public reporting to scrape\r\ncustomer credit card data from a targeted device.\r\nThis post examines a PoSlurp.B file identified (through its shellcode loader) by Twitter user @just_windex to\r\nprovide additional details regarding the malware’s functionality that were not previously disclosed in open source.\r\nThis analysis focuses on the final payload of the shellcode loader, although additional information and advice for\r\nbringing this file into a debuggable state is available at the end of the post.\r\nUnlike the previously analyzed file (FrameworkPoS/GratefulPOS), which indiscriminately scraped all processes\r\non a device, PoSlurp.B is designed to scrape the memory of an attacker-specified process.\r\nAnalysis\r\nShellcode Hash:\r\nMD5: b54283d17b7c13329943168b898ff07e\r\nSHA1: 67a06663b0c8a885d444b8bedb8261b28f050a39\r\nSHA256: e78d9a6cd94bd8ec3095a0ecbbc9c4add78d3281d2bf46497164d0406c346395\r\nDumped PoSlurp.B Payload (Uploaded to VT for this blog, not from ITW)\r\nMD5: 3d5ae56c6746e0b3ed5b15124264a0d2\r\nSHA1: f92c886f85928041148d0dcd7c4fb9623b157f94\r\nSHA256: d9e442cd69d1f656a3e8cfd0792333a8f0108193e052a4ee2d7f9138a4b253b2\r\nInitial Checks and Exit Conditions\r\nPoSlurp.B is a 64-bit executable that is expected to be run in memory. When executed, the malware performs two\r\nconditional checks:\r\n– The malware must have been loaded into memory\r\n– In this analysis, the check appears to be conducted by examining the the entry point\r\n– The malware must identify an environment variable – “PRMS” – that contains data to direct the workflow\r\n– Setting this in the system settings did not appear to work. Setting this in a PowerShell injector script did.\r\nA Gigamon report previously described the need for this environment variable and its presence in a PowerShell\r\nloader. While this loader is not currently available on VirusTotal, information regarding reconstructing one is\r\navailable at the end of this blog. The malware uses a stack string to assemble this environment variable name,\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 1 of 11\n\nlikely to limit static detection of the string. These first two checks can be seen below. Following these checks, the\r\nmalware moves to a validation and parsing function (boxed in red in the bottom right of this image) to extract\r\ninformation from this environment variable.\r\nPRMS Environment Variable Check\r\nThe parsing function is designed to extract the contents of the environment variable. The function contains nine\r\ndifferent references to the ExitProcess Windows API call. Combined with the previous function, the following exit\r\nconditions for the malware have been identified:\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 2 of 11\n\n– The malware determines it wasn’t injected or started properly\r\n– The malware can’t locate the “PRMS” environment variable\r\n– The environment variable doesn’t contain “t” as the first letter of a value in a workflow-specific position\r\n– When run in injection mode, the malware is unable to identify a process specified for injection\r\n– An invalid value is in the workflow parameter location (i.e. not “i” “s” or “p”)\r\n– An incorrect number of arguments have been specified\r\n– The malware runs successfully\r\nWhile some of these appear to be anti-analysis checks, this blog assesses that others may be for workflow\r\nvalidation and to prevent errors, crashing, or unexpected events. In particular, there are multiple checks regarding\r\nthe correct number of parameters being passed to the malware that eventually become redundant, as a final check\r\nrequires a larger number of parameters than an initial check. There are additional exit conditions that are not yet\r\nfully understood.\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 3 of 11\n\nValidation and Parsing Function\r\nEnvironment Variable and Three Workflows\r\nThe environment variable is expected to contain multiple values, delimited by a “|” character. The first character\r\nspecifies which workflow to take, and can be the letter p, s, or i.\r\n– “p” scrapes a specified process for credit card data\r\n– “i” injects the malware into a process and creates a thread at the scraping function used by p\r\n– “s” injects the malware into a suspended svchost process and creates a thread at the same scraping function\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 4 of 11\n\nThe malware ultimately appears to expect more arguments than are necessary in certain cases. For example, if the\r\nenvironment variable were set to:\r\np|notepad.exe|t|[value]|[value]\r\nThe first three values would be sufficient to validate many of the checks and scrape the “notepad.exe” process,\r\nalthough something would need to fill the remaining values to successfully run. It is possible that these additional\r\nvalues may perform further validation checks, which were bypassed for the purpose of this analysis (and which\r\nwould need to be bypassed if using the environment variables exactly as written in this blog).\r\nThe malware also treats these arguments differently depending on the mode selected. For example, in “p” and “s”\r\nmode the first argument specified after “p” is the process to be scraped. In “i” mode, the first argument after “i” is\r\nthe process to be injected, whereas the next argument is the process to be scraped. Thus, using “i” mode would\r\nrequire a value such as:\r\ni|injection_target.exe|process_to_be_scraped.exe|t|[unknown]|[unknown]\r\nMalware Workflow Options\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 5 of 11\n\nInjection Workflow (“i”)\r\nThe injection workflow contains two relatively simple functions.\r\nFunction One\r\n– The malware uses the CreateToolhelp32Snapshot and Process32First/Next APIs to list running processes\r\n– The malware compares each process name to the first process argument in the environment variable\r\n– If no match is found, the malware returns and exits\r\nFunction Two\r\n– The malware opens a handle to the targeted process\r\n– The malware uses the VirtualAllocEx and WriteProcessMemory to write itself to the targeted process\r\n– The malware creates a thread at the location of the main scraping loop within this injected process\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 6 of 11\n\nFirst Function (Process Identification) in Injection Workflow\r\nSvchost Workflow (s)\r\nThe svchost workflow also contains two functions.\r\nFirst, the malware uses stack strings to assemble “svchost.exe” (similar to the “PRMS” string creation), likely to\r\navoid static detection of this value. The malware then identifies the system directory via API call and concatenates\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 7 of 11\n\nthe svchost.exe process name to this string and spawns this process in a suspended state.\r\nSecond, the malware uses a form of process injection similar to a method described in open source reporting as\r\nthe “Zberp” method. The malware uses CreateFileMappingA, MapViewOfFile, and NtMapViewOfSection to\r\ninject itself into the suspended svchost process. Finally, the malware uses NtQueApcThread and ResumeThread to\r\nrun the main scraping loop.\r\nMain Scraping Loop\r\nThe main scraping loop, which is either called directly through the “p” workflow or invoked through the other\r\nworkflows as a created thread, represents the core of the malware’s functionality. Similar to the “i” routine, the\r\nmain scraping loop calls a function that enumerates running processes (via CreateToolhelp32Snapshot,\r\nProcess32First, and Process32Next) to identify a match with a specified target process (right click on the images\r\nbelow and open in a new tab to expand).\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 8 of 11\n\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 9 of 11\n\nIf a process name is found that matches the target name, the malware calls the function boxed in red in the image\r\nabove. The malware uses the VirtualQueryEx and ReadProcessMemory APIs to read the process, and then\r\nsubsequently calls the actual data parsing routine. The malware looks for data formatted similarly to magnetic\r\nstrip information. If found, the malware calls an additional function (referenced in five locations) to encode and\r\nwrite this data to a file located at “c:\\users\\public\\music\\wmsetup.tmp” and then repeats the loop.\r\nOnce the scraping is completed (or if the scraping fails), the malware can perform two additional cleanup\r\nfunctions before exiting. First, the malware deletes a registry entry located at\r\nSoftware\\Microsoft\\CurrentVersion\\Run named PSMon. The malware can also delete a key named ODBC2 under\r\nSoftware\\*.\r\nThe purpose of these two keys is currently unknown. This blog speculates that both may be used as components of\r\npersistence mechanisms (perhaps with the former pointing to a script and the latter pointing to second-stage data\r\nstored in the registry). If this is the case, they may be named to mimic legitimate processes expected on these\r\ndevices, such as the Unix Process Monitor tool and a SQL Database component (ODBC). It is also possible – but\r\nless likely – that this activity is designed to terminate these legitimate processes.\r\nAdditional Thoughts\r\nWhile there are still some information gaps (particularly regarding the installer for this malware), this point of sale\r\nscraper represents a very different approach from the previously examined incident. Whereas that file scraped the\r\nmemory of every process on a system, PoSlurp.B is designed for a more targeted approach. This suggests that the\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 10 of 11\n\nattackers conducted sufficient reconnaissance within the environment to determine where credit card data was\r\nlikely to be held (or knew this information prior to the intrusion).\r\nAnalysis Tips\r\nAnalyzing this file proved particularly challenging, given the high number of conditional exits and the need for\r\nthe malware to successfully parse an environment variable. Ultimately, I can recommend the following approach:\r\nThe hash 82953a819daff3a81e678c75ce7736b3 contains a PowerShell byte array loader that I found during a\r\nsearch for other FIN8 malware (whether or not it is actually affiliated with this group, I have not checked).\r\n– Take the shellcode, open it in a hex editor (e.g. HxD), and copy the hex into a text editor (Notepad++)\r\n– Replace the spaces from the hex bytes with a “,0x”\r\n– Add a leading “0x” to the first bytes\r\n– Add an additional two bytes, 0xEB and 0xFE, to the start of the file. This is an infinite loop.\r\n– Replace the payload bytes in the hash above with these bytes\r\n– Add the environment variable\r\n– Run the PowerShell file\r\n– In x64dbg, attach to the PowerShell file\r\n– Resume the program\r\n– Look in the memory map for the executable section of memory\r\n– Set a breakpoint at this section\r\n– NOP the infinite jump instruction\r\n– Begin debugging\r\nThe idea here is to get PowerShell to load the shellcode, but to do so in a way in which is doesn’t execute. EB FE\r\nis a shorthand for an infinite loop in which the malware jumps to the jumping instruction. The malware will run\r\nthis indefinitely, until you manually place a breakpoint there. Programs such as jmp2it will do this automatically,\r\nbut I ran into issues attaching to it in a 64-bit debugger. A few other creative approaches (side-loading in place of\r\nChinese APT shellcode, injecting it into other processes) came up short. They also didn’t allow the malware to\r\nrecognize an environment variable.\r\nFor simply statically analyzing the shellcode and its subsequent payload, I’d recommend Adam’s approach. It\r\nlooks like a lot of steps, but it only takes a few minutes, and you can build a 64-bit executable that’s pretty easy to\r\ndirectly debug (and subsequently dump a payload from).\r\nSource: https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nhttps://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/"
	],
	"report_names": [
		"fuel-pumps-ii-poslurp-b"
	],
	"threat_actors": [
		{
			"id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c",
			"created_at": "2025-08-07T02:03:24.910023Z",
			"updated_at": "2026-04-10T02:00:03.713077Z",
			"deleted_at": null,
			"main_name": "GOLD HUXLEY",
			"aliases": [
				"CTG-6969 ",
				"FIN8 "
			],
			"source_name": "Secureworks:GOLD HUXLEY",
			"tools": [
				"Gozi ISFB",
				"Powersniff"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5bdde906-0416-42ee-9100-5ebd95dda77a",
			"created_at": "2023-01-06T13:46:38.601977Z",
			"updated_at": "2026-04-10T02:00:03.035842Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK113",
				"G0061"
			],
			"source_name": "MISPGALAXY:FIN8",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72d09c17-e33e-4c2f-95db-f204848cc797",
			"created_at": "2022-10-25T15:50:23.832551Z",
			"updated_at": "2026-04-10T02:00:05.336787Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"FIN8",
				"Syssphinx"
			],
			"source_name": "MITRE:FIN8",
			"tools": [
				"BADHATCH",
				"PUNCHBUGGY",
				"Ragnar Locker",
				"PUNCHTRACK",
				"dsquery",
				"Nltest",
				"Sardonic",
				"PsExec",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fc80a724-e567-457c-82bb-70147435e129",
			"created_at": "2022-10-25T16:07:23.624289Z",
			"updated_at": "2026-04-10T02:00:04.691643Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK 113",
				"G0061",
				"Storm-0288",
				"Syssphinx"
			],
			"source_name": "ETDA:FIN8",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BadHatch",
				"BlackCat",
				"Noberus",
				"PSVC",
				"PUNCHTRACK",
				"PoSlurp",
				"Powersniff",
				"PunchBuggy",
				"Ragnar Loader",
				"Ragnar Locker",
				"RagnarLocker",
				"Sardonic",
				"ShellTea"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d50c6b80ce0ea0898d6dcd5980270a4bb36a9278.pdf",
		"text": "https://archive.orkl.eu/d50c6b80ce0ea0898d6dcd5980270a4bb36a9278.txt",
		"img": "https://archive.orkl.eu/d50c6b80ce0ea0898d6dcd5980270a4bb36a9278.jpg"
	}
}