SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackpos (Back to overview)

BlackPOS

aka: Kaptoxa, MMon, POSWDS, Reedum

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

References
2020-09-25VISAVisa Security Alert
@techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises
BlackPOS pwnpos rtpos
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-08-29Trend MicroRhena Inocencio
@online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts
BlackPOS
Yara Rules
[TLP:WHITE] win_blackpos_auto (20220516 | Detects win.blackpos.)
rule win_blackpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.blackpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d85b9f4ffff 53 50 8975b8 889db8f4ffff e8???????? 8d85b8f4ffff }
            // n = 7, score = 100
            //   8d85b9f4ffff         | lea                 eax, [ebp - 0xb47]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8975b8               | mov                 dword ptr [ebp - 0x48], esi
            //   889db8f4ffff         | mov                 byte ptr [ebp - 0xb48], bl
            //   e8????????           |                     
            //   8d85b8f4ffff         | lea                 eax, [ebp - 0xb48]

        $sequence_1 = { c3 8bff 56 57 33ff ffb7b0f84100 ff15???????? }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb7b0f84100         | push                dword ptr [edi + 0x41f8b0]
            //   ff15????????         |                     

        $sequence_2 = { ebe8 33c0 8945e4 3d01010000 7d0d 8a4c181c 888880f14100 }
            // n = 7, score = 100
            //   ebe8                 | jmp                 0xffffffea
            //   33c0                 | xor                 eax, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   3d01010000           | cmp                 eax, 0x101
            //   7d0d                 | jge                 0xf
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   888880f14100         | mov                 byte ptr [eax + 0x41f180], cl

        $sequence_3 = { 5e 5b 8bc2 f7d8 1bc0 33cd }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8bc2                 | mov                 eax, edx
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   33cd                 | xor                 ecx, ebp

        $sequence_4 = { 33ff 0fb605???????? 50 0fb687e0e34100 50 e8???????? }
            // n = 6, score = 100
            //   33ff                 | xor                 edi, edi
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb687e0e34100       | movzx               eax, byte ptr [edi + 0x41e3e0]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 8bff 55 8bec 33c0 668b4d08 663b8808ad4100 740d }
            // n = 7, score = 100
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   668b4d08             | mov                 cx, word ptr [ebp + 8]
            //   663b8808ad4100       | cmp                 cx, word ptr [eax + 0x41ad08]
            //   740d                 | je                  0xf

        $sequence_6 = { 68fe000000 8bf8 8d85b5feffff 53 }
            // n = 4, score = 100
            //   68fe000000           | push                0xfe
            //   8bf8                 | mov                 edi, eax
            //   8d85b5feffff         | lea                 eax, [ebp - 0x14b]
            //   53                   | push                ebx

        $sequence_7 = { 83c40c 85c0 754e 85db 754c 6a0e }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   754e                 | jne                 0x50
            //   85db                 | test                ebx, ebx
            //   754c                 | jne                 0x4e
            //   6a0e                 | push                0xe

        $sequence_8 = { 8d8588f4ffff 53 50 e8???????? 6a44 }
            // n = 5, score = 100
            //   8d8588f4ffff         | lea                 eax, [ebp - 0xb78]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a44                 | push                0x44

        $sequence_9 = { 7522 8d041f 6a01 8d8405e5fbffff }
            // n = 4, score = 100
            //   7522                 | jne                 0x24
            //   8d041f               | lea                 eax, [edi + ebx]
            //   6a01                 | push                1
            //   8d8405e5fbffff       | lea                 eax, [ebp + eax - 0x41b]

    condition:
        7 of them and filesize < 3293184
}
Download all Yara Rules