• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Exclusive -Details on Investigation of Group-IB on new age of POS malware

Exclusive -Details on Investigation of Group-IB on new age of POS malware

Pierluigi Paganini March 28, 2013

New age of POS malware – cash points are in the hackers’ interest, major US banks are compromised.

UPDATE January 17th, 2014

I desire to reveal the identity of the person that has conducted the analysis on the BlackPos agent, giving me a significant support for the realization of the post. Andrey Komarov, IntelCrawler’s CEO, has arranged investigation on Black POS in March 2013, when he works in another forensics company. Since that time, the first group which was using BlackPOS was detected, as well as the author, a 17-year-old teen from St. Petersburg. 

BREAKING NEWS – BlackPOS malware – IntelCrawler has identified the author

According to the statistics of Group-IB, one of the leading security and computer forensics company, modern cybercriminals started to use specific malware for ATMs and POS for targeted attacks. 

Most of them are organized with the help of insiders in face of staff, who has access to the POS to maintain or update its software locally. Only few infections were detected with the help of targeted remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

Previously a McAfee security researcher, Chintan Shah, has notified the banking community about vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them.

At the end of 2012, Israel based company Seculert  notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Several days ago, Group-IB has found a new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without the use of any additional libraries. It supports all Microsoft Windows versions, including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit card data.

Dump_Memory_grabber1

Pic.1 – the malware has own intellectual functions to delete third-party information to make the POS malware logs only with compromised credit cards data

According to the description of the author, it adds itself to the autorun with default timeout in 3 hours. The log with intercepted dumps is transferred through FTP gateway with the date. This variable can be changed on e-mail notification upon customer’s request.

Dump_Memory_grabber_AdminPanel2

Dump Memory grabber Admin Panel

 

 Group-IB and it’s CERT (CERT-GIB) has found a private video with a demonstration of admin panel of this new POS malware.

POS Dump_Memory_grabber2_PURGED 

Customers of major US banks, such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware, here are some segments of the data extracted from the uploaded video on one of the most famous underground forums:

In the following image an exclusive screenshot related to thousands of credit cards were compromised, the screenshot of the «BlackPOS» admin panel, 23th March 2013

POS BlackPos

 

During the investigation, it was found out that the author might be from the Russian Federation, because of language and the interesting factor in the video which is very hard to detect – close to 01:44 it is appeared the link on internal messaging system of one of the most famous social networks in Russia – Vkontake.ru.

 

POS Vkontakle_Purged

Pic. 3 – The author of the following POS malware and the link on Vkontakte profile during the POS malware admin panel demonstration

It seems to be that the hacker was communicated with one of his friends through Vkontakte and forgot to close the active Internet Browser window. Profiling on the Vkontakte ID (http://vk.com/id93371139) disclosured us the person under anonymous nick “Wagner Richard”.

POS Vkontakte2

Pic.4 – The author of the malware uses anonymous nickname in Vkontakte for communication with his friends

The hacker mentions the link on the group for orders on DDoS-attacks, which can characterize him as one of the persons involved into big cybercrime gang.

POS Orders_on_DDoS_attacks

Pic. 5 – Anonymous group in social network for the orders on DDoS attacks (http://vk.com/the_ddos_attack )

Previously, they set up several similar groups related to DDoS attacks, but all of them were banned before.

POS 7members_Detected_cybercriminals_group

Pic. 6 – 7 persons are members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group

The above picture reports 7 members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group, the 8th member was found by «Likes» section .

1) http://vk.com/id83965304 – Artiom Karapetyan (native city is: Echmiadzin (Armenia), city of education: Talas (Kyrgyzstan), school 6 – 2011/2014), http://vk.com/friends?id=83965304&section=list27 – all the friends belong to Russian Anonymous Divison

2) http://vk.com/psychoosocial – Viktor Tovstonis (skype: vitok5566)

3) http://vk.com/ruslan_halus – “Ruslan Halus” (skype: halusruslan, Twitter: rhalus, city: Pereginskoe (Ukraine))

4) http://vk.com/anonim207 – «Max Mamaciev» (city: Moscow (Russia), Moscow State University)

5) http://vk.com/id204853815 – «DDOS ATACKA» (city: Moscow (Russia), Moscow State University, Biology faculcy, school 1’19, http://attackddos.narod.ru).

 

POS 7members_Detected_cybercriminals_group2

Pic. 7 – the full disclosure of the members, most of them are belong to russian hacktivism activities related to Anonymous group, which was actively shown in russian mass-media during the election of the President

 

POS 8thmember

Pic. 8 – the 8th member was found by «Likes» section

The pricing on DDoS attack from the gang starts from 2 USD per hour, which is absolutely shocking (22 USD – per day, 220 USD – per week), also it is mentioned that they trade private DDoS bot for 800 USD.

POS DDoS_price

According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard).

POS DDoS_offer

Pic. 9 – According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard)

According to the profiling, the security expert Andrey Komarov said that all the involved hackers are less than 23 years, which proofs that youth is involved into the most of cybercrimes.

«We have found one of the C&C for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue» – said Andrey Komarov, Andrey Komarov, IntelCrawler’s CEO.

Pierluigi Paganini

(Security Affairs – Cybercrime)


facebook linkedin twitter

Cybercrime Dexter DUMP MEMORY GRABBER Group-IB malware vSkimmer

you might also like

Pierluigi Paganini July 29, 2025
Seychelles Commercial Bank Reported Cybersecurity Incident
Read more
Pierluigi Paganini July 28, 2025
Scattered Spider targets VMware ESXi in using social engineering
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

    Hacktivism / July 29, 2025

    Seychelles Commercial Bank Reported Cybersecurity Incident

    Data Breach / July 29, 2025

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT