SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
@techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
@online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20211008 | Detects win.blackpos.)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.blackpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 030c9d60c45800 eb02 8bca f641247f 7525 }
            // n = 5, score = 100
            //   030c9d60c45800       | add                 ecx, dword ptr [ebx*4 + 0x58c460]
            //   eb02                 | jmp                 4
            //   8bca                 | mov                 ecx, edx
            //   f641247f             | test                byte ptr [ecx + 0x24], 0x7f
            //   7525                 | jne                 0x27

        $sequence_1 = { 8d85b4feffff 68ff000000 50 e8???????? 83c424 }
            // n = 5, score = 100
            //   8d85b4feffff         | lea                 eax, dword ptr [ebp - 0x14c]
            //   68ff000000           | push                0xff
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24

        $sequence_2 = { 50 ff15???????? 899ec0000000 899ec4000000 c786c8000000a88a4100 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   899ec0000000         | mov                 dword ptr [esi + 0xc0], ebx
            //   899ec4000000         | mov                 dword ptr [esi + 0xc4], ebx
            //   c786c8000000a88a4100     | mov    dword ptr [esi + 0xc8], 0x418aa8

        $sequence_3 = { ff15???????? 8bf8 85ff 750c 8d45dc 50 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   750c                 | jne                 0xe
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { e8???????? 57 68???????? 8d85b4feffff 68ff000000 50 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   57                   | push                edi
            //   68????????           |                     
            //   8d85b4feffff         | lea                 eax, dword ptr [ebp - 0x14c]
            //   68ff000000           | push                0xff
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 68e8030000 6a02 56 56 }
            // n = 4, score = 100
            //   68e8030000           | push                0x3e8
            //   6a02                 | push                2
            //   56                   | push                esi
            //   56                   | push                esi

        $sequence_6 = { 7513 8d45e0 50 e8???????? 59 53 }
            // n = 6, score = 100
            //   7513                 | jne                 0x15
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   53                   | push                ebx

        $sequence_7 = { 53 50 889db8f8ffff e8???????? 83c430 899db0f4ffff }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   50                   | push                eax
            //   889db8f8ffff         | mov                 byte ptr [ebp - 0x748], bl
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   899db0f4ffff         | mov                 dword ptr [ebp - 0xb50], ebx

        $sequence_8 = { 85f6 7426 56 8d85fcfbffff }
            // n = 4, score = 100
            //   85f6                 | test                esi, esi
            //   7426                 | je                  0x28
            //   56                   | push                esi
            //   8d85fcfbffff         | lea                 eax, dword ptr [ebp - 0x404]

        $sequence_9 = { 81ecac050000 a1???????? 33c5 8945fc 56 57 6a07 }
            // n = 7, score = 100
            //   81ecac050000         | sub                 esp, 0x5ac
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a07                 | push                7

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules