SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum
VTCollection    

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroErika Mendoza, Jay Yaneza
Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20260504 | Detects win.blackpos.)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.blackpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03048d60c45800 eb05 b8???????? f6402480 7414 e8???????? }
            // n = 6, score = 100
            //   03048d60c45800       | add                 eax, dword ptr [ecx*4 + 0x58c460]
            //   eb05                 | jmp                 7
            //   b8????????           |                     
            //   f6402480             | test                byte ptr [eax + 0x24], 0x80
            //   7414                 | je                  0x16
            //   e8????????           |                     

        $sequence_1 = { e8???????? 83c414 ff05???????? 6a05 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   ff05????????         |                     
            //   6a05                 | push                5

        $sequence_2 = { 8a0419 3c30 0f82a6030000 3c39 7610 }
            // n = 5, score = 100
            //   8a0419               | mov                 al, byte ptr [ecx + ebx]
            //   3c30                 | cmp                 al, 0x30
            //   0f82a6030000         | jb                  0x3ac
            //   3c39                 | cmp                 al, 0x39
            //   7610                 | jbe                 0x12

        $sequence_3 = { 59 59 50 6a01 be???????? }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   6a01                 | push                1
            //   be????????           |                     

        $sequence_4 = { 57 8d85d0faffff 56 50 e8???????? }
            // n = 5, score = 100
            //   57                   | push                edi
            //   8d85d0faffff         | lea                 eax, [ebp - 0x530]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 50 e8???????? 6a44 5e 56 8d45b8 53 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a44                 | push                0x44
            //   5e                   | pop                 esi
            //   56                   | push                esi
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   53                   | push                ebx

        $sequence_6 = { 33c0 8945e4 3d00010000 7d10 8a8c181d010000 888888f24100 40 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   3d00010000           | cmp                 eax, 0x100
            //   7d10                 | jge                 0x12
            //   8a8c181d010000       | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   888888f24100         | mov                 byte ptr [eax + 0x41f288], cl
            //   40                   | inc                 eax

        $sequence_7 = { 50 e8???????? 59 83f805 7307 33c0 e9???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f805               | cmp                 eax, 5
            //   7307                 | jae                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_8 = { 0fb687e0e34100 50 e8???????? 3205???????? 47 }
            // n = 5, score = 100
            //   0fb687e0e34100       | movzx               eax, byte ptr [edi + 0x41e3e0]
            //   50                   | push                eax
            //   e8????????           |                     
            //   3205????????         |                     
            //   47                   | inc                 edi

        $sequence_9 = { 6a00 ff15???????? a3???????? 85c0 7502 c9 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4
            //   c9                   | leave               

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules