SYMBOLCOMMON_NAMEaka. SYNONYMS
win.abaddon_pos (Back to overview)

AbaddonPOS

aka: PinkKite, TinyPOS

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

References
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2020-11-02One Night in NorfolkKevin Perlow
@online{perlow:20201102:tinypos:876ddb3, author = {Kevin Perlow}, title = {{TinyPOS and ProLocker: An Odd Relationship}}, date = {2020-11-02}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/}, language = {English}, urldate = {2020-11-09} } TinyPOS and ProLocker: An Odd Relationship
AbaddonPOS PwndLocker
2020-05-21VMWare Carbon BlackJared Myers
@online{myers:20200521:tau:4f64594, author = {Jared Myers}, title = {{TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data}}, date = {2020-05-21}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/}, language = {English}, urldate = {2020-05-23} } TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data
AbaddonPOS
2018-03-14ThreatpostTom Spring
@online{spring:20180314:new:e692b68, author = {Tom Spring}, title = {{New POS Malware PinkKite Takes Flight}}, date = {2018-03-14}, organization = {Threatpost}, url = {https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/}, language = {English}, urldate = {2019-11-26} } New POS Malware PinkKite Takes Flight
AbaddonPOS
2016-05-10ProofpointMatthew Mesa, Darien Huss
@online{mesa:20160510:setting:2b54ce3, author = {Matthew Mesa and Darien Huss}, title = {{Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software}}, date = {2016-05-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software}, language = {English}, urldate = {2019-12-20} } Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software
AbaddonPOS TinyLoader
2015-11-11ProofpointDarien Huss
@online{huss:20151111:abaddonpos:ca72c4c, author = {Darien Huss}, title = {{AbaddonPOS: A new point of sale threat linked to Vawtrak}}, date = {2015-11-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak}, language = {English}, urldate = {2019-12-20} } AbaddonPOS: A new point of sale threat linked to Vawtrak
AbaddonPOS TinyLoader
Yara Rules
[TLP:WHITE] win_abaddon_pos_auto (20221125 | Detects win.abaddon_pos.)
rule win_abaddon_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.abaddon_pos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7602 eb22 05???????? 803800 7618 8d95e4feffff }
            // n = 6, score = 100
            //   7602                 | jbe                 4
            //   eb22                 | jmp                 0x24
            //   05????????           |                     
            //   803800               | cmp                 byte ptr [eax], 0
            //   7618                 | jbe                 0x1a
            //   8d95e4feffff         | lea                 edx, [ebp - 0x11c]

        $sequence_1 = { 53 50 ff15???????? 68c8000000 ff15???????? e9???????? }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   68c8000000           | push                0xc8
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_2 = { 48 83c420 83f8ff 7502 }
            // n = 4, score = 100
            //   48                   | dec                 eax
            //   83c420               | add                 esp, 0x20
            //   83f8ff               | cmp                 eax, -1
            //   7502                 | jne                 4

        $sequence_3 = { 7505 e9???????? 8945f4 6830750000 ff75f4 ff15???????? 6a00 }
            // n = 7, score = 100
            //   7505                 | jne                 7
            //   e9????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   6830750000           | push                0x7530
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_4 = { 83f800 744d 8945fc 6860ea0000 }
            // n = 4, score = 100
            //   83f800               | cmp                 eax, 0
            //   744d                 | je                  0x4f
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6860ea0000           | push                0xea60

        $sequence_5 = { 80beb801000001 7506 898ebc010000 43 }
            // n = 4, score = 100
            //   80beb801000001       | cmp                 byte ptr [esi + 0x1b8], 1
            //   7506                 | jne                 8
            //   898ebc010000         | mov                 dword ptr [esi + 0x1bc], ecx
            //   43                   | inc                 ebx

        $sequence_6 = { 89d8 69c080000000 3d002d0000 7607 b8???????? eb22 05???????? }
            // n = 7, score = 100
            //   89d8                 | mov                 eax, ebx
            //   69c080000000         | imul                eax, eax, 0x80
            //   3d002d0000           | cmp                 eax, 0x2d00
            //   7607                 | jbe                 9
            //   b8????????           |                     
            //   eb22                 | jmp                 0x24
            //   05????????           |                     

        $sequence_7 = { 48 8b9eb8050000 48 8918 48 83c008 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   8b9eb8050000         | mov                 ebx, dword ptr [esi + 0x5b8]
            //   48                   | dec                 eax
            //   8918                 | mov                 dword ptr [eax], ebx
            //   48                   | dec                 eax
            //   83c008               | add                 eax, 8

        $sequence_8 = { 8d95c0feffff 52 ff75e8 ff15???????? 85c0 0f8455010000 8b85c8feffff }
            // n = 7, score = 100
            //   8d95c0feffff         | lea                 edx, [ebp - 0x140]
            //   52                   | push                edx
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8455010000         | je                  0x15b
            //   8b85c8feffff         | mov                 eax, dword ptr [ebp - 0x138]

        $sequence_9 = { 48 8986b8050000 48 83f800 0f844e030000 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   8986b8050000         | mov                 dword ptr [esi + 0x5b8], eax
            //   48                   | dec                 eax
            //   83f800               | cmp                 eax, 0
            //   0f844e030000         | je                  0x354

        $sequence_10 = { 83c420 48 8b86d0050000 48 83c000 48 }
            // n = 6, score = 100
            //   83c420               | add                 esp, 0x20
            //   48                   | dec                 eax
            //   8b86d0050000         | mov                 eax, dword ptr [esi + 0x5d0]
            //   48                   | dec                 eax
            //   83c000               | add                 eax, 0
            //   48                   | dec                 eax

        $sequence_11 = { 8b4608 ff15???????? 48 83c420 48 }
            // n = 5, score = 100
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   83c420               | add                 esp, 0x20
            //   48                   | dec                 eax

        $sequence_12 = { 48 83ec20 48 8b8ed0050000 }
            // n = 4, score = 100
            //   48                   | dec                 eax
            //   83ec20               | sub                 esp, 0x20
            //   48                   | dec                 eax
            //   8b8ed0050000         | mov                 ecx, dword ptr [esi + 0x5d0]

        $sequence_13 = { 48 83c308 81fb00010000 7607 b800010000 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   83c308               | add                 ebx, 8
            //   81fb00010000         | cmp                 ebx, 0x100
            //   7607                 | jbe                 9
            //   b800010000           | mov                 eax, 0x100

        $sequence_14 = { 81be0c01000080cf0700 7607 bb80cf0700 eb06 8b9e0c010000 8b8600010000 01d8 }
            // n = 7, score = 100
            //   81be0c01000080cf0700     | cmp    dword ptr [esi + 0x10c], 0x7cf80
            //   7607                 | jbe                 9
            //   bb80cf0700           | mov                 ebx, 0x7cf80
            //   eb06                 | jmp                 8
            //   8b9e0c010000         | mov                 ebx, dword ptr [esi + 0x10c]
            //   8b8600010000         | mov                 eax, dword ptr [esi + 0x100]
            //   01d8                 | add                 eax, ebx

        $sequence_15 = { e9???????? 48 83c306 ebc3 48 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   48                   | dec                 eax
            //   83c306               | add                 ebx, 6
            //   ebc3                 | jmp                 0xffffffc5
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 40960
}
[TLP:WHITE] win_abaddon_pos_w0   (20180322 | AbaddonPOS)
rule win_abaddon_pos_w0 {
    meta:
        author = "Darien Huss, Proofpoint"
        description = "AbaddonPOS"
        reference = "md5,317f9c57f7983e2608d5b2f00db954ff"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos"
        malpedia_version = "20180322"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "devil_host" fullword ascii
        $s2 = "Chrome" fullword ascii
        $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii
        $i1 = { 31 ?? 81 ?? 55 89 E5 8B 74 }
    condition:
        all of ($s*) or $i1
}
Download all Yara Rules