SYMBOLCOMMON_NAMEaka. SYNONYMS
win.abaddon_pos (Back to overview)

AbaddonPOS

aka: PinkKite, TinyPOS

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

References
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2020-11-02One Night in NorfolkKevin Perlow
@online{perlow:20201102:tinypos:876ddb3, author = {Kevin Perlow}, title = {{TinyPOS and ProLocker: An Odd Relationship}}, date = {2020-11-02}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/}, language = {English}, urldate = {2020-11-09} } TinyPOS and ProLocker: An Odd Relationship
AbaddonPOS PwndLocker
2020-05-21VMWare Carbon BlackJared Myers
@online{myers:20200521:tau:4f64594, author = {Jared Myers}, title = {{TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data}}, date = {2020-05-21}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/}, language = {English}, urldate = {2020-05-23} } TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data
AbaddonPOS
2018-03-14ThreatpostTom Spring
@online{spring:20180314:new:e692b68, author = {Tom Spring}, title = {{New POS Malware PinkKite Takes Flight}}, date = {2018-03-14}, organization = {Threatpost}, url = {https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/}, language = {English}, urldate = {2019-11-26} } New POS Malware PinkKite Takes Flight
AbaddonPOS
2016-05-10ProofpointMatthew Mesa, Darien Huss
@online{mesa:20160510:setting:2b54ce3, author = {Matthew Mesa and Darien Huss}, title = {{Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software}}, date = {2016-05-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software}, language = {English}, urldate = {2019-12-20} } Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software
AbaddonPOS TinyLoader
2015-11-11ProofpointDarien Huss
@online{huss:20151111:abaddonpos:ca72c4c, author = {Darien Huss}, title = {{AbaddonPOS: A new point of sale threat linked to Vawtrak}}, date = {2015-11-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak}, language = {English}, urldate = {2019-12-20} } AbaddonPOS: A new point of sale threat linked to Vawtrak
AbaddonPOS TinyLoader
Yara Rules
[TLP:WHITE] win_abaddon_pos_auto (20230715 | Detects win.abaddon_pos.)
rule win_abaddon_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.abaddon_pos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 80beb401000002 750f 80beb801000001 7506 }
            // n = 4, score = 100
            //   80beb401000002       | cmp                 byte ptr [esi + 0x1b4], 2
            //   750f                 | jne                 0x11
            //   80beb801000001       | cmp                 byte ptr [esi + 0x1b8], 1
            //   7506                 | jne                 8

        $sequence_1 = { 83f80c 7702 eb05 e9???????? 31db c786ac01000000000000 }
            // n = 6, score = 100
            //   83f80c               | cmp                 eax, 0xc
            //   7702                 | ja                  4
            //   eb05                 | jmp                 7
            //   e9????????           |                     
            //   31db                 | xor                 ebx, ebx
            //   c786ac01000000000000     | mov    dword ptr [esi + 0x1ac], 0

        $sequence_2 = { 48 c7c1f4010000 ff15???????? 48 83c420 48 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   c7c1f4010000         | mov                 ecx, 0x1f4
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   83c420               | add                 esp, 0x20
            //   48                   | dec                 eax

        $sequence_3 = { 8908 83c008 8d95e4feffff 52 50 ff15???????? 6a00 }
            // n = 7, score = 100
            //   8908                 | mov                 dword ptr [eax], ecx
            //   83c008               | add                 eax, 8
            //   8d95e4feffff         | lea                 edx, [ebp - 0x11c]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_4 = { 80fa5e 741c 80fa3d 7417 80fa00 7612 80fa7c }
            // n = 7, score = 100
            //   80fa5e               | cmp                 dl, 0x5e
            //   741c                 | je                  0x1e
            //   80fa3d               | cmp                 dl, 0x3d
            //   7417                 | je                  0x19
            //   80fa00               | cmp                 dl, 0
            //   7612                 | jbe                 0x14
            //   80fa7c               | cmp                 dl, 0x7c

        $sequence_5 = { 48 89d9 48 c7c280000000 ff15???????? }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   89d9                 | mov                 ecx, ebx
            //   48                   | dec                 eax
            //   c7c280000000         | mov                 edx, 0x80
            //   ff15????????         |                     

        $sequence_6 = { 0faf45f4 03855cfeffff 6800d00700 50 ff15???????? }
            // n = 5, score = 100
            //   0faf45f4             | imul                eax, dword ptr [ebp - 0xc]
            //   03855cfeffff         | add                 eax, dword ptr [ebp - 0x1a4]
            //   6800d00700           | push                0x7d000
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 8986b8050000 48 83f800 0f844e030000 48 }
            // n = 5, score = 100
            //   8986b8050000         | mov                 dword ptr [esi + 0x5b8], eax
            //   48                   | dec                 eax
            //   83f800               | cmp                 eax, 0
            //   0f844e030000         | je                  0x354
            //   48                   | dec                 eax

        $sequence_8 = { 8b9ec8050000 48 8918 48 83c008 }
            // n = 5, score = 100
            //   8b9ec8050000         | mov                 ebx, dword ptr [esi + 0x5c8]
            //   48                   | dec                 eax
            //   8918                 | mov                 dword ptr [eax], ebx
            //   48                   | dec                 eax
            //   83c008               | add                 eax, 8

        $sequence_9 = { 48 83c420 48 8b86d0050000 48 0500040000 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   83c420               | add                 esp, 0x20
            //   48                   | dec                 eax
            //   8b86d0050000         | mov                 eax, dword ptr [esi + 0x5d0]
            //   48                   | dec                 eax
            //   0500040000           | add                 eax, 0x400

        $sequence_10 = { c786e4050000c2a510a5 66c786e2050000456b 66c786e00500000200 48 8b86d0050000 }
            // n = 5, score = 100
            //   c786e4050000c2a510a5     | mov    dword ptr [esi + 0x5e4], 0xa510a5c2
            //   66c786e2050000456b     | mov    word ptr [esi + 0x5e2], 0x6b45
            //   66c786e00500000200     | mov    word ptr [esi + 0x5e0], 2
            //   48                   | dec                 eax
            //   8b86d0050000         | mov                 eax, dword ptr [esi + 0x5d0]

        $sequence_11 = { 7402 eb68 8b5d08 81c300040000 53 ff15???????? }
            // n = 6, score = 100
            //   7402                 | je                  4
            //   eb68                 | jmp                 0x6a
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   81c300040000         | add                 ebx, 0x400
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_12 = { 7508 6a05 ff15???????? 8b86a0010000 3b86a4010000 0f83e6030000 }
            // n = 6, score = 100
            //   7508                 | jne                 0xa
            //   6a05                 | push                5
            //   ff15????????         |                     
            //   8b86a0010000         | mov                 eax, dword ptr [esi + 0x1a0]
            //   3b86a4010000         | cmp                 eax, dword ptr [esi + 0x1a4]
            //   0f83e6030000         | jae                 0x3ec

        $sequence_13 = { ff15???????? 6a1c 8d9600010000 52 ff15???????? 6a1c 8d9600010000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   6a1c                 | push                0x1c
            //   8d9600010000         | lea                 edx, [esi + 0x100]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a1c                 | push                0x1c
            //   8d9600010000         | lea                 edx, [esi + 0x100]

        $sequence_14 = { 48 8b8ec0050000 48 c7c200000000 ff15???????? 48 83c420 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8b8ec0050000         | mov                 ecx, dword ptr [esi + 0x5c0]
            //   48                   | dec                 eax
            //   c7c200000000         | mov                 edx, 0
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   83c420               | add                 esp, 0x20

        $sequence_15 = { 48 83c000 48 8b9eb8050000 48 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   83c000               | add                 eax, 0
            //   48                   | dec                 eax
            //   8b9eb8050000         | mov                 ebx, dword ptr [esi + 0x5b8]
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 40960
}
[TLP:WHITE] win_abaddon_pos_w0   (20180322 | AbaddonPOS)
rule win_abaddon_pos_w0 {
    meta:
        author = "Darien Huss, Proofpoint"
        description = "AbaddonPOS"
        reference = "md5,317f9c57f7983e2608d5b2f00db954ff"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos"
        malpedia_version = "20180322"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "devil_host" fullword ascii
        $s2 = "Chrome" fullword ascii
        $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword ascii
        $i1 = { 31 ?? 81 ?? 55 89 E5 8B 74 }
    condition:
        all of ($s*) or $i1
}
Download all Yara Rules