SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
@techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
@online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6bc02a 6a14 8d4dbc 51 03c6 50 }
            // n = 6, score = 100
            //   6bc02a               | imul                eax, eax, 0x2a
            //   6a14                 | push                0x14
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   51                   | push                ecx
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax

        $sequence_1 = { 6a0f 8d45e4 57 50 e8???????? }
            // n = 5, score = 100
            //   6a0f                 | push                0xf
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { 8a0419 3c30 0f82a6030000 3c39 7610 }
            // n = 5, score = 100
            //   8a0419               | mov                 al, byte ptr [ecx + ebx]
            //   3c30                 | cmp                 al, 0x30
            //   0f82a6030000         | jb                  0x3ac
            //   3c39                 | cmp                 al, 0x39
            //   7610                 | jbe                 0x12

        $sequence_3 = { 6a00 50 e8???????? 83c41c 85db 7e25 6a04 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   85db                 | test                ebx, ebx
            //   7e25                 | jle                 0x27
            //   6a04                 | push                4

        $sequence_4 = { 7550 85db 754c 6a0f 8d45e4 }
            // n = 5, score = 100
            //   7550                 | jne                 0x52
            //   85db                 | test                ebx, ebx
            //   754c                 | jne                 0x4e
            //   6a0f                 | push                0xf
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_5 = { 730d 84db 7509 389c3dfdfffdff 744f }
            // n = 5, score = 100
            //   730d                 | jae                 0xf
            //   84db                 | test                bl, bl
            //   7509                 | jne                 0xb
            //   389c3dfdfffdff       | cmp                 byte ptr [ebp + edi - 0x20003], bl
            //   744f                 | je                  0x51

        $sequence_6 = { bf???????? 833cf544ee410001 751d 8d04f540ee4100 8938 68a00f0000 ff30 }
            // n = 7, score = 100
            //   bf????????           |                     
            //   833cf544ee410001     | cmp                 dword ptr [esi*8 + 0x41ee44], 1
            //   751d                 | jne                 0x1f
            //   8d04f540ee4100       | lea                 eax, [esi*8 + 0x41ee40]
            //   8938                 | mov                 dword ptr [eax], edi
            //   68a00f0000           | push                0xfa0
            //   ff30                 | push                dword ptr [eax]

        $sequence_7 = { 8bc7 c1f805 83e71f c1e706 8b048560c45800 }
            // n = 5, score = 100
            //   8bc7                 | mov                 eax, edi
            //   c1f805               | sar                 eax, 5
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b048560c45800       | mov                 eax, dword ptr [eax*4 + 0x58c460]

        $sequence_8 = { 33c0 8945e4 3d00010000 7d10 8a8c181d010000 888888f24100 40 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   3d00010000           | cmp                 eax, 0x100
            //   7d10                 | jge                 0x12
            //   8a8c181d010000       | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   888888f24100         | mov                 byte ptr [eax + 0x41f288], cl
            //   40                   | inc                 eax

        $sequence_9 = { 50 56 53 ff15???????? 85c0 750b ff75e8 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   56                   | push                esi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   ff75e8               | push                dword ptr [ebp - 0x18]

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules