• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Malware
  • vSkymmer botnet, a financial malware appears in the underground

vSkymmer botnet, a financial malware appears in the underground

Pierluigi Paganini March 29, 2013

The principal reports proposed by various security firm demonstrate a sustained growth of cyber criminal activities fueled by increased offer of underground.

In the underground it is practically possible to acquire/sell any kind of product and services to realize illegal activities.

The offer is complete and include programming and hacking services, bulletproof-hosting services, cyber attacks on demand (e.g. DDoS, Spear phishing) and of course any kind of malicious code especially for the creation of powerful botnets.

Despite the number of state-sponsored attacks is increasing in impressive way, underground is mainly referred by cyber criminals that have as primary goal the monetization of fraud scheme.

Botnet products and related services are most requested items in this tumultuous market, in particular cyber criminals demonstrate an increasing interest to banking and payments sectors.

In the past malicious code such as Zeus and SpyEye create serious problems to financial sector causing substantial losses, in these days a new botnet, named vSkimmer, has been  found in the underground and once again it is the menacing payment world.

The security expert Chintan Shah at  McAfee security firm wrote in a blog post that during the analysis of some of Russian underground forums found a discussion about a Trojan for sale that is able to steal credit card information from for financial transactions and credit card payments.

vSkimmer agent works on Windows machine, it detects card readers on the victim’s machine and gather all the information from pc sending it to a remote control server encrypting it (Base64).

The malware collects the following information from the infected machine and sends it to the control server:

  • Machine GUID from the Registry
  • Locale info
  • Username
  • Hostname
  • OS version

 vSkimmerPanel

 

Security community indicates vSkimmer as the successor of the popular Dexter, a popular malware that targeted Point-of-Sale systems to gather card data as it is transmitted during sales flow. The case is not isolated, Dexter is responsible for the loss of nearly 80,000 credit card records and data breach of payment card data of Subway restaurants in 2012 meanwhile several days ago, Group-IB has found a new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without use of any additional libraries. It supports all Microsoft Windows versions including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit card data.

According to security experts at McAfee vSkimemr is circulating in the underground forums since February and it could an ongoing project, vSkimmer is very complex but despite it appears more sophisticated of Dexter it is easier to use.

Exactly as its predecessor Dexter, vSkimmer is completely undetectable on the compromised host, it operates silently waiting for a named USB device to be attached to the compromised machine and once detected it the malware dumps the collected data to the removable device.

“vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number.”

Following an extract from McAfee post:

“VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.”

“another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community.”

The malware represents, according to the security community, one of the first examples of malicious code that directly targets card-payment terminals running on Windows machines,  the offer of similar agents in the underground is increasing and their sale systems appear very efficient and able to respond to user’s needs.

A new generation of malware will attract more and more, hordes of criminals looking to profit … is important to continue to monitor the supply in the black market.

 Pierluigi Paganini

(Security Affairs – Botnet)


facebook linkedin twitter

Botnets DDoS Group-IB spear phishing underground vSkimmer

you might also like

Pierluigi Paganini July 10, 2025
DoNot APT is expanding scope targeting European foreign ministries
Read more
Pierluigi Paganini July 09, 2025
Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT