SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
@techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
@online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a03 58 68b80b0000 6a01 33c9 51 }
            // n = 6, score = 100
            //   6a03                 | push                3
            //   58                   | pop                 eax
            //   68b80b0000           | push                0xbb8
            //   6a01                 | push                1
            //   33c9                 | xor                 ecx, ecx
            //   51                   | push                ecx

        $sequence_1 = { eb09 8b450c 8b8040f84100 3bf0 7e44 83ee07 eb3f }
            // n = 7, score = 100
            //   eb09                 | jmp                 0xb
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b8040f84100         | mov                 eax, dword ptr [eax + 0x41f840]
            //   3bf0                 | cmp                 esi, eax
            //   7e44                 | jle                 0x46
            //   83ee07               | sub                 esi, 7
            //   eb3f                 | jmp                 0x41

        $sequence_2 = { 83e00f eb02 33c0 0fbe84c1709d4100 6a07 c1f804 }
            // n = 6, score = 100
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   0fbe84c1709d4100     | movsx               eax, byte ptr [ecx + eax*8 + 0x419d70]
            //   6a07                 | push                7
            //   c1f804               | sar                 eax, 4

        $sequence_3 = { 8985a0fdffff 3bc1 0f87cb090000 ff2485f5e24000 838de8fdffffff 89b594fdffff }
            // n = 6, score = 100
            //   8985a0fdffff         | mov                 dword ptr [ebp - 0x260], eax
            //   3bc1                 | cmp                 eax, ecx
            //   0f87cb090000         | ja                  0x9d1
            //   ff2485f5e24000       | jmp                 dword ptr [eax*4 + 0x40e2f5]
            //   838de8fdffffff       | or                  dword ptr [ebp - 0x218], 0xffffffff
            //   89b594fdffff         | mov                 dword ptr [ebp - 0x26c], esi

        $sequence_4 = { 762a 56 e8???????? 8d0445c4ba5800 8bc8 }
            // n = 5, score = 100
            //   762a                 | jbe                 0x2c
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d0445c4ba5800       | lea                 eax, [eax*2 + 0x58bac4]
            //   8bc8                 | mov                 ecx, eax

        $sequence_5 = { e8???????? 8d85b8fcffff 50 e8???????? 83c428 3b05???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8d85b8fcffff         | lea                 eax, [ebp - 0x348]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28
            //   3b05????????         |                     

        $sequence_6 = { 8d45e4 57 50 e8???????? 8d45e4 50 e8???????? }
            // n = 7, score = 100
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 8b4508 53 57 8b7d0c 8906 8b07 894604 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_8 = { 8bc8 83e01f c1f905 c1e006 03048d60c45800 eb02 8bc2 }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   c1e006               | shl                 eax, 6
            //   03048d60c45800       | add                 eax, dword ptr [ecx*4 + 0x58c460]
            //   eb02                 | jmp                 4
            //   8bc2                 | mov                 eax, edx

        $sequence_9 = { 6a00 ff15???????? a3???????? 85c0 7502 c9 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4
            //   c9                   | leave               

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules