Exclusive -Details on Investigation of Group-IB on new age of POS malware

Pierluigi Paganini March 28, 2013

New age of POS malware – cash points are in the hackers’ interest, major US banks are compromised.

UPDATE January 17th, 2014

I desire to reveal the identity of the person that has conducted the analysis on the BlackPos agent, giving me a significant support for the realization of the post. Andrey Komarov, IntelCrawler’s CEO, has arranged investigation on Black POS in March 2013, when he works in another forensics company. Since that time, the first group which was using BlackPOS was detected, as well as the author, a 17-year-old teen from St. Petersburg

BREAKING NEWS – BlackPOS malware – IntelCrawler has identified the author

According to the statistics of Group-IB, one of the leading security and computer forensics company, modern cybercriminals started to use specific malware for ATMs and POS for targeted attacks. 

Most of them are organized with the help of insiders in face of staff, who has access to the POS to maintain or update its software locally. Only few infections were detected with the help of targeted remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

Previously a McAfee security researcher, Chintan Shah, has notified the banking community about vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them.

At the end of 2012, Israel based company Seculert  notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Several days ago, Group-IB has found a new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without the use of any additional libraries. It supports all Microsoft Windows versions, including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit card data.


Pic.1 – the malware has own intellectual functions to delete third-party information to make the POS malware logs only with compromised credit cards data

According to the description of the author, it adds itself to the autorun with default timeout in 3 hours. The log with intercepted dumps is transferred through FTP gateway with the date. This variable can be changed on e-mail notification upon customer’s request.


Dump Memory grabber Admin Panel


 Group-IB and it’s CERT (CERT-GIB) has found a private video with a demonstration of admin panel of this new POS malware.

POS Dump_Memory_grabber2_PURGED 

Customers of major US banks, such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware, here are some segments of the data extracted from the uploaded video on one of the most famous underground forums:

In the following image an exclusive screenshot related to thousands of credit cards were compromised, the screenshot of the «BlackPOS» admin panel, 23th March 2013

POS BlackPos


During the investigation, it was found out that the author might be from the Russian Federation, because of language and the interesting factor in the video which is very hard to detect – close to 01:44 it is appeared the link on internal messaging system of one of the most famous social networks in Russia – Vkontake.ru.


POS Vkontakle_Purged

Pic. 3 – The author of the following POS malware and the link on Vkontakte profile during the POS malware admin panel demonstration

It seems to be that the hacker was communicated with one of his friends through Vkontakte and forgot to close the active Internet Browser window. Profiling on the Vkontakte ID (http://vk.com/id93371139) disclosured us the person under anonymous nick “Wagner Richard”.

POS Vkontakte2

Pic.4 – The author of the malware uses anonymous nickname in Vkontakte for communication with his friends

The hacker mentions the link on the group for orders on DDoS-attacks, which can characterize him as one of the persons involved into big cybercrime gang.

POS Orders_on_DDoS_attacks

Pic. 5 – Anonymous group in social network for the orders on DDoS attacks (http://vk.com/the_ddos_attack )

Previously, they set up several similar groups related to DDoS attacks, but all of them were banned before.

POS 7members_Detected_cybercriminals_group

Pic. 6 – 7 persons are members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group

The above picture reports 7 members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group, the 8th member was found by «Likes» section .

1) http://vk.com/id83965304 – Artiom Karapetyan (native city is: Echmiadzin (Armenia), city of education: Talas (Kyrgyzstan), school 6 – 2011/2014), http://vk.com/friends?id=83965304&section=list27 – all the friends belong to Russian Anonymous Divison

2) http://vk.com/psychoosocial – Viktor Tovstonis (skype: vitok5566)

3) http://vk.com/ruslan_halus – “Ruslan Halus” (skype: halusruslan, Twitter: rhalus, city: Pereginskoe (Ukraine))

4) http://vk.com/anonim207 – «Max Mamaciev» (city: Moscow (Russia), Moscow State University)

5) http://vk.com/id204853815 – «DDOS ATACKA» (city: Moscow (Russia), Moscow State University, Biology faculcy, school 1’19, http://attackddos.narod.ru).


POS 7members_Detected_cybercriminals_group2

Pic. 7 – the full disclosure of the members, most of them are belong to russian hacktivism activities related to Anonymous group, which was actively shown in russian mass-media during the election of the President


POS 8thmember

Pic. 8 – the 8th member was found by «Likes» section

The pricing on DDoS attack from the gang starts from 2 USD per hour, which is absolutely shocking (22 USD – per day, 220 USD – per week), also it is mentioned that they trade private DDoS bot for 800 USD.

POS DDoS_price

According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard).

POS DDoS_offer

Pic. 9 – According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard)

According to the profiling, the security expert Andrey Komarov said that all the involved hackers are less than 23 years, which proofs that youth is involved into the most of cybercrimes.

«We have found one of the C&C for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue» – said Andrey Komarov, Andrey Komarov, IntelCrawler’s CEO.

Pierluigi Paganini

(Security Affairs – Cybercrime)

you might also like

leave a comment