SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum
VTCollection    

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroErika Mendoza, Jay Yaneza
Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20230808 | Detects win.blackpos.)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blackpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? b800000200 3bf8 7602 8bf8 8d85f4fffdff }
            // n = 6, score = 100
            //   e9????????           |                     
            //   b800000200           | mov                 eax, 0x20000
            //   3bf8                 | cmp                 edi, eax
            //   7602                 | jbe                 4
            //   8bf8                 | mov                 edi, eax
            //   8d85f4fffdff         | lea                 eax, [ebp - 0x2000c]

        $sequence_1 = { 3bca 7408 47 83ff44 72ef eb08 }
            // n = 6, score = 100
            //   3bca                 | cmp                 ecx, edx
            //   7408                 | je                  0xa
            //   47                   | inc                 edi
            //   83ff44               | cmp                 edi, 0x44
            //   72ef                 | jb                  0xfffffff1
            //   eb08                 | jmp                 0xa

        $sequence_2 = { 83c414 85c0 7433 e8???????? 85c0 }
            // n = 5, score = 100
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7433                 | je                  0x35
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 8d4dbc 51 03c6 50 e8???????? }
            // n = 5, score = 100
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   51                   | push                ecx
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 3bfb 0f84f8000000 68ff030000 8d85fdfbffff 53 50 }
            // n = 6, score = 100
            //   3bfb                 | cmp                 edi, ebx
            //   0f84f8000000         | je                  0xfe
            //   68ff030000           | push                0x3ff
            //   8d85fdfbffff         | lea                 eax, [ebp - 0x403]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_5 = { f7f9 8b4dfc 5f 5e 5b 8bc2 }
            // n = 6, score = 100
            //   f7f9                 | idiv                ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8bc2                 | mov                 eax, edx

        $sequence_6 = { 8b8040f84100 3bf0 7e44 83ee07 eb3f 2503000080 7905 }
            // n = 7, score = 100
            //   8b8040f84100         | mov                 eax, dword ptr [eax + 0x41f840]
            //   3bf0                 | cmp                 esi, eax
            //   7e44                 | jle                 0x46
            //   83ee07               | sub                 esi, 7
            //   eb3f                 | jmp                 0x41
            //   2503000080           | and                 eax, 0x80000003
            //   7905                 | jns                 7

        $sequence_7 = { 3bf7 7513 8d45e0 50 e8???????? 59 }
            // n = 6, score = 100
            //   3bf7                 | cmp                 esi, edi
            //   7513                 | jne                 0x15
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_8 = { 6a07 59 6804010000 be???????? }
            // n = 4, score = 100
            //   6a07                 | push                7
            //   59                   | pop                 ecx
            //   6804010000           | push                0x104
            //   be????????           |                     

        $sequence_9 = { e8???????? 83c40c 85c0 7414 6a01 68???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16
            //   6a01                 | push                1
            //   68????????           |                     

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules