SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
@techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
@online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20230715 | Detects win.blackpos.)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.blackpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 50 e8???????? 83c40c 56 8d85e0fdffff }
            // n = 6, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]

        $sequence_1 = { 46 83bddcfbffff1e 0f8c44ffffff 807d2000 754a }
            // n = 5, score = 100
            //   46                   | inc                 esi
            //   83bddcfbffff1e       | cmp                 dword ptr [ebp - 0x424], 0x1e
            //   0f8c44ffffff         | jl                  0xffffff4a
            //   807d2000             | cmp                 byte ptr [ebp + 0x20], 0
            //   754a                 | jne                 0x4c

        $sequence_2 = { f7fb 85d2 740d 8bc6 c1e002 8bb070f84100 }
            // n = 6, score = 100
            //   f7fb                 | idiv                ebx
            //   85d2                 | test                edx, edx
            //   740d                 | je                  0xf
            //   8bc6                 | mov                 eax, esi
            //   c1e002               | shl                 eax, 2
            //   8bb070f84100         | mov                 esi, dword ptr [eax + 0x41f870]

        $sequence_3 = { 7444 8b4508 53 57 8b7d0c }
            // n = 5, score = 100
            //   7444                 | je                  0x46
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]

        $sequence_4 = { ffd6 85c0 759c 8b85f8fbffff 8b4dfc 5f 5e }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   759c                 | jne                 0xffffff9e
            //   8b85f8fbffff         | mov                 eax, dword ptr [ebp - 0x408]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_5 = { c1e006 03048d60c45800 eb05 b8???????? f6402480 7414 }
            // n = 6, score = 100
            //   c1e006               | shl                 eax, 6
            //   03048d60c45800       | add                 eax, dword ptr [ecx*4 + 0x58c460]
            //   eb05                 | jmp                 7
            //   b8????????           |                     
            //   f6402480             | test                byte ptr [eax + 0x24], 0x80
            //   7414                 | je                  0x16

        $sequence_6 = { 83c40c 6bc930 8975e0 8db1a0f34100 8975e4 eb2b 8a4601 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db1a0f34100         | lea                 esi, [ecx + 0x41f3a0]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   eb2b                 | jmp                 0x2d
            //   8a4601               | mov                 al, byte ptr [esi + 1]

        $sequence_7 = { 7429 ffb5f4fbffff 8d85d8fbffff 50 57 e8???????? }
            // n = 6, score = 100
            //   7429                 | je                  0x2b
            //   ffb5f4fbffff         | push                dword ptr [ebp - 0x40c]
            //   8d85d8fbffff         | lea                 eax, [ebp - 0x428]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_8 = { 85f6 7426 56 8d85fcfbffff }
            // n = 4, score = 100
            //   85f6                 | test                esi, esi
            //   7426                 | je                  0x28
            //   56                   | push                esi
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]

        $sequence_9 = { 7517 e8???????? eb10 8d45c4 }
            // n = 4, score = 100
            //   7517                 | jne                 0x19
            //   e8????????           |                     
            //   eb10                 | jmp                 0x12
            //   8d45c4               | lea                 eax, [ebp - 0x3c]

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules