AbaddonPOS (Malware Family)

AbaddonPOS

aka: PinkKite, TinyPOS

VTCollection

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

References

2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker

2020-11-02 ⋅ One Night in Norfolk ⋅ Kevin Perlow
TinyPOS and ProLocker: An Odd Relationship
AbaddonPOS PwndLocker

2020-05-21 ⋅ VMWare Carbon Black ⋅ Jared Myers
TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data
AbaddonPOS

2018-03-14 ⋅ Threatpost ⋅ Tom Spring
New POS Malware PinkKite Takes Flight
AbaddonPOS

2016-05-10 ⋅ Proofpoint ⋅ Darien Huss, Matthew Mesa
Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software
AbaddonPOS TinyLoader

2015-11-11 ⋅ Proofpoint ⋅ Darien Huss
AbaddonPOS: A new point of sale threat linked to Vawtrak
AbaddonPOS TinyLoader

Yara Rules

[TLP:WHITE] win_abaddon_pos_auto (20260504 | Detects win.abaddon_pos.)

rule win_abaddon_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.abaddon_pos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 750a 83fb3c 7605 e9???????? }
            // n = 4, score = 200
            //   750a                 | jne                 0xc
            //   83fb3c               | cmp                 ebx, 0x3c
            //   7605                 | jbe                 7
            //   e9????????           |                     

        $sequence_1 = { b804d00700 0faf45f4 03855cfeffff 6800d00700 50 }
            // n = 5, score = 100
            //   b804d00700           | mov                 eax, 0x7d004
            //   0faf45f4             | imul                eax, dword ptr [ebp - 0xc]
            //   03855cfeffff         | add                 eax, dword ptr [ebp - 0x1a4]
            //   6800d00700           | push                0x7d000
            //   50                   | push                eax

        $sequence_2 = { 038560feffff 6a00 6a00 50 }
            // n = 4, score = 100
            //   038560feffff         | add                 eax, dword ptr [ebp - 0x1a0]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 4c 8b7d10 49 81c700040000 48 }
            // n = 5, score = 100
            //   4c                   | dec                 esp
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   49                   | dec                 ecx
            //   81c700040000         | add                 edi, 0x400
            //   48                   | dec                 eax

        $sequence_4 = { 81bea001000000dc0500 740c 81bea001000000d60600 7508 }
            // n = 4, score = 100
            //   81bea001000000dc0500     | cmp    dword ptr [esi + 0x1a0], 0x5dc00
            //   740c                 | je                  0xe
            //   81bea001000000d60600     | cmp    dword ptr [esi + 0x1a0], 0x6d600
            //   7508                 | jne                 0xa

        $sequence_5 = { 89d9 ff15???????? 48 83c420 c704030d0a0000 48 }
            // n = 6, score = 100
            //   89d9                 | mov                 ecx, ebx
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   83c420               | add                 esp, 0x20
            //   c704030d0a0000       | mov                 dword ptr [ebx + eax], 0xa0d
            //   48                   | dec                 eax

        $sequence_6 = { 48 0500040000 803800 7664 48 31c9 48 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   0500040000           | add                 eax, 0x400
            //   803800               | cmp                 byte ptr [eax], 0
            //   7664                 | jbe                 0x66
            //   48                   | dec                 eax
            //   31c9                 | xor                 ecx, ecx
            //   48                   | dec                 eax

        $sequence_7 = { 83c420 48 83c408 48 83ec30 48 c7c100000000 }
            // n = 7, score = 100
            //   83c420               | add                 esp, 0x20
            //   48                   | dec                 eax
            //   83c408               | add                 esp, 8
            //   48                   | dec                 eax
            //   83ec30               | sub                 esp, 0x30
            //   48                   | dec                 eax
            //   c7c100000000         | mov                 ecx, 0

        $sequence_8 = { c786b801000000000000 c786bc01000000000000 807b0100 750c c786b001000001000000 eb0a c786b001000000000000 }
            // n = 7, score = 100
            //   c786b801000000000000     | mov    dword ptr [esi + 0x1b8], 0
            //   c786bc01000000000000     | mov    dword ptr [esi + 0x1bc], 0
            //   807b0100             | cmp                 byte ptr [ebx + 1], 0
            //   750c                 | jne                 0xe
            //   c786b001000001000000     | mov    dword ptr [esi + 0x1b0], 1
            //   eb0a                 | jmp                 0xc
            //   c786b001000000000000     | mov    dword ptr [esi + 0x1b0], 0

        $sequence_9 = { eba6 43 ebcd ffb5c8feffff }
            // n = 4, score = 100
            //   eba6                 | jmp                 0xffffffa8
            //   43                   | inc                 ebx
            //   ebcd                 | jmp                 0xffffffcf
            //   ffb5c8feffff         | push                dword ptr [ebp - 0x138]

        $sequence_10 = { ff15???????? 48 83c430 48 83ec20 48 89c1 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   83c430               | add                 esp, 0x30
            //   48                   | dec                 eax
            //   83ec20               | sub                 esp, 0x20
            //   48                   | dec                 eax
            //   89c1                 | mov                 ecx, eax

        $sequence_11 = { 52 ff15???????? 0186a0010000 ff86a0010000 e9???????? 6a05 ff15???????? }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ff15????????         |                     
            //   0186a0010000         | add                 dword ptr [esi + 0x1a0], eax
            //   ff86a0010000         | inc                 dword ptr [esi + 0x1a0]
            //   e9????????           |                     
            //   6a05                 | push                5
            //   ff15????????         |                     

        $sequence_12 = { 81fb00010000 7607 b800010000 eb02 89d8 }
            // n = 5, score = 100
            //   81fb00010000         | cmp                 ebx, 0x100
            //   7607                 | jbe                 9
            //   b800010000           | mov                 eax, 0x100
            //   eb02                 | jmp                 4
            //   89d8                 | mov                 eax, ebx

        $sequence_13 = { c786a801000000000000 fe86a8010000 42 80beb001000001 }
            // n = 4, score = 100
            //   c786a801000000000000     | mov    dword ptr [esi + 0x1a8], 0
            //   fe86a8010000         | inc                 byte ptr [esi + 0x1a8]
            //   42                   | inc                 edx
            //   80beb001000001       | cmp                 byte ptr [esi + 0x1b0], 1

        $sequence_14 = { 7208 48 83f80c 7702 eb05 e9???????? 48 }
            // n = 7, score = 100
            //   7208                 | jb                  0xa
            //   48                   | dec                 eax
            //   83f80c               | cmp                 eax, 0xc
            //   7702                 | ja                  4
            //   eb05                 | jmp                 7
            //   e9????????           |                     
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 40960
}

[TLP:WHITE] win_abaddon_pos_w0 (20180322 | AbaddonPOS)

rule win_abaddon_pos_w0 {
    meta:
        author = "Darien Huss, Proofpoint"
        description = "AbaddonPOS"
        reference = "md5,317f9c57f7983e2608d5b2f00db954ff"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos"
        malpedia_version = "20180322"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "devil_host" fullword ascii
        $s2 = "Chrome" fullword ascii
        $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii
        $i1 = { 31 ?? 81 ?? 55 89 E5 8B 74 }
    condition:
        all of ($s*) or $i1
}

Download all Yara Rules

AbaddonPOS Propose Change

References

Yara Rules

AbaddonPOS