SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
@techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
@online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20210616 | Detects win.blackpos.)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.blackpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd8 c1eb03 53 894608 }
            // n = 4, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   c1eb03               | shr                 ebx, 3
            //   53                   | push                ebx
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_1 = { ab ab ab ab 66ab 6a01 aa }
            // n = 7, score = 100
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   6a01                 | push                1
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_2 = { 8bc8 83e905 7479 81e91b040000 }
            // n = 4, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   83e905               | sub                 ecx, 5
            //   7479                 | je                  0x7b
            //   81e91b040000         | sub                 ecx, 0x41b

        $sequence_3 = { 8bf3 899dc8fbffff 8985d4fbffff 8d46e2 }
            // n = 4, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   899dc8fbffff         | mov                 dword ptr [ebp - 0x438], ebx
            //   8985d4fbffff         | mov                 dword ptr [ebp - 0x42c], eax
            //   8d46e2               | lea                 eax, dword ptr [esi - 0x1e]

        $sequence_4 = { ff2495d07c4000 8bc7 ba03000000 83e904 720c }
            // n = 5, score = 100
            //   ff2495d07c4000       | jmp                 dword ptr [edx*4 + 0x407cd0]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3
            //   83e904               | sub                 ecx, 4
            //   720c                 | jb                  0xe

        $sequence_5 = { 7e37 8db43de4fbffff 803e00 7522 }
            // n = 4, score = 100
            //   7e37                 | jle                 0x39
            //   8db43de4fbffff       | lea                 esi, dword ptr [ebp + edi - 0x41c]
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7522                 | jne                 0x24

        $sequence_6 = { 50 6802020000 891d???????? e8???????? 8d85e0f7ffff }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   891d????????         |                     
            //   e8????????           |                     
            //   8d85e0f7ffff         | lea                 eax, dword ptr [ebp - 0x820]

        $sequence_7 = { 5f 3bc7 7d3d 8d3418 2bf8 }
            // n = 5, score = 100
            //   5f                   | pop                 edi
            //   3bc7                 | cmp                 eax, edi
            //   7d3d                 | jge                 0x3f
            //   8d3418               | lea                 esi, dword ptr [eax + ebx]
            //   2bf8                 | sub                 edi, eax

        $sequence_8 = { 0fbe80509d4100 83e00f eb02 33c0 0fbe84c1709d4100 6a07 c1f804 }
            // n = 7, score = 100
            //   0fbe80509d4100       | movsx               eax, byte ptr [eax + 0x419d50]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   0fbe84c1709d4100     | movsx               eax, byte ptr [ecx + eax*8 + 0x419d70]
            //   6a07                 | push                7
            //   c1f804               | sar                 eax, 4

        $sequence_9 = { 50 e8???????? 59 59 85c0 0f84a0020000 8d85fcf7ffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f84a0020000         | je                  0x2a6
            //   8d85fcf7ffff         | lea                 eax, dword ptr [ebp - 0x804]

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules