365 lines
8.2 KiB
Text
365 lines
8.2 KiB
Text
// Point of Sale (POS) Malware and Tools used during POS compromises
|
|
|
|
rule blackpos_v2
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
version = "0.1"
|
|
reference = "http://blog.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family"
|
|
strings:
|
|
$s1 = "Usage: -[start|stop|install|uninstall"
|
|
$s2 = "\\SYSTEM32\\sc.exe config LanmanWorkstation"
|
|
$s3 = "t.bat"
|
|
$s4 = "mcfmisvc"
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule misc_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS Malware"
|
|
strings:
|
|
$s1 = "KAPTOXA"
|
|
$s2 = "cmd /c net start %s"
|
|
$s3 = "pid:"
|
|
$s4 = "%ADD%"
|
|
$s5 = "COMSPEC"
|
|
$s6 = "KARTOXA"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 3 of ($s*)
|
|
}
|
|
|
|
rule unknown
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "Unknown POS"
|
|
strings:
|
|
$s1 = "a.exe" wide
|
|
$s2 = "Can anyone test" wide
|
|
$s3 = "I m in computer class now" wide
|
|
condition:
|
|
uint16(0) == 0x5A4D and 3 of ($s*)
|
|
}
|
|
|
|
rule regex_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS malware - Regex"
|
|
strings:
|
|
$n1 = "REGEXEND" nocase
|
|
$n2 = "RegExpr" nocase
|
|
$n3 = "regex"
|
|
$s4 = "[1-5][0-9]{14}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
|
|
$s5 = "[47][0-9]{13}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
|
|
$s6 = "(?:0[0-5]|[68][0-9])[0-9]{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
|
|
$s7 = "(?:011|5[0-9]{2})[0-9]{12}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
|
|
$s8 = "(?:2131|1800|35\\d{3})\\d{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
|
|
$s9 = "([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})"
|
|
$s10 = "((b|B)[0-9]{13,19}\\^[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\\s]{3,50}[0-9]{1})"
|
|
$s11 = "[0-9]*\\^[a-zA-Z]*/[a-zA-Z ]*\\^[0-9]*"
|
|
$s12 = "\\d{15,19}=\\d{13,}"
|
|
$s13 = "\\;?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??"
|
|
$s14 = "[0-9]{12}(?:[0-9]{3})?=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 1 of ($n*) and 1 of ($s*)
|
|
}
|
|
|
|
rule regexpr_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS malware - RegExpr"
|
|
strings:
|
|
$s1 = "RegExpr" nocase
|
|
$s2 = "Data.txt"
|
|
$s3 = "Track1"
|
|
$s4 = "Track2"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 3 of ($s*)
|
|
}
|
|
|
|
rule reg_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS malware - RegExpr"
|
|
strings:
|
|
$s1 = "T1_FOUND: %s"
|
|
$s2 = "id=%s&log=%s"
|
|
$s3 = "\\d{15,19}=\\d{13,}"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 2 of ($s*)
|
|
}
|
|
|
|
rule sets_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS malware - Sets"
|
|
strings:
|
|
$s1 = "GET /sets.txt"
|
|
condition:
|
|
uint16(0) == 0x5A4D and $s1
|
|
}
|
|
|
|
rule monitor_tool_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS malware - Monitoring Tool??"
|
|
strings:
|
|
$s1 = "RCPT TO"
|
|
$s2 = "MAIL FROM"
|
|
$s3 = "AUTH LOGIN"
|
|
$s4 = "Reply-To"
|
|
$s5 = "X-Mailer"
|
|
$s6 = "crypto"
|
|
$s7 = "test335.txt" wide
|
|
$s8 = "/c del"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 7 of ($s*)
|
|
}
|
|
|
|
rule pstgdump
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "pstgdump"
|
|
strings:
|
|
$s1 = "fgdump\\pstgdump"
|
|
$s2 = "pstgdump"
|
|
$s3 = "Outlook"
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule keyfinder_tool
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "Magical Jelly Bean KeyFinder"
|
|
strings:
|
|
$s1 = "chgxp.vbs"
|
|
$s2 = "officekey.exe"
|
|
$s3 = "findkey.exe"
|
|
$s4 = "xpkey.exe"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 2 of ($s*)
|
|
}
|
|
|
|
rule memdump_diablo
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "Process Memory Dumper - DiabloHorn"
|
|
strings:
|
|
$s1 = "DiabloHorn"
|
|
$s2 = "Process Memory Dumper"
|
|
$s3 = "pid-%s.dmp"
|
|
$s4 = "Pid %d in not acessible" // SIC
|
|
$s5 = "memdump.exe"
|
|
$s6 = "%s-%d.dmp"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 3 of ($s*)
|
|
}
|
|
|
|
|
|
rule sysocmgr
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "System stand-alone Optional Component Manager - http://support.microsoft.com/kb/222444"
|
|
strings:
|
|
$s1 = "SYSOCMGR.EXE" wide
|
|
$s2 = "System stand-alone Optional Component Manager" wide
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule lacy_keylogger
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "Appears to be a form of keylogger."
|
|
strings:
|
|
$s1 = "Lacy.exe" wide
|
|
$s2 = "Bldg Chive Duel Rip Query" wide
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule searchinject
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "Usage: SearchInject <PID1>[PID2][PID3] - It loads Searcher.dll (appears to be hard coded)"
|
|
strings:
|
|
$s1 = "SearchInject"
|
|
$s2 = "inject base:"
|
|
$s3 = "Searcher.dll" nocase
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule heistenberg_pos
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
reference = "POS Malware"
|
|
strings:
|
|
$s1 = "KARTOXA"
|
|
$s2 = "dmpz.log"
|
|
$s3 = "/api/process.php?xy="
|
|
$s4 = "User-Agent: PCICompliant" // PCICompliant/3.33
|
|
$s6 = "%s:*:Enabled:%s"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 3 of ($s*)
|
|
}
|
|
|
|
rule pos_jack
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Point of Sale (POS) Malware"
|
|
version = "0.1"
|
|
reference = "http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html"
|
|
date = "2/22/2014"
|
|
strings:
|
|
$pdb1 = "\\ziedpirate.ziedpirate-PC\\"
|
|
$pdb2 = "\\sop\\sop\\"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 1 of ($pdb*)
|
|
}
|
|
|
|
rule pos_memory_scrapper_
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Point of Sale (POS) Malware Memory Scraper"
|
|
version = "0.3"
|
|
description = "POS Memory Scraper"
|
|
date = "01/30/2014"
|
|
strings:
|
|
$s1 = "kartoxa" nocase
|
|
$s2 = "CC2 region:"
|
|
$s3 = "CC memregion:"
|
|
$s4 = "target pid:"
|
|
$s5 = "scan all processes:"
|
|
$s6 = "<pid> <PATTERN>"
|
|
$s7 = "KAPTOXA"
|
|
$s8 = "ATTERN"
|
|
$s9 = "\\svhst%p"
|
|
condition:
|
|
uint16(0) == 0x5A4D and 3 of ($s*)
|
|
}
|
|
|
|
rule pos_malwre_dexter_stardust
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Dexter Malware - StarDust Variant"
|
|
version = "0.1"
|
|
description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
|
|
reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"
|
|
date = "12/30/2013"
|
|
strings:
|
|
$s1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"
|
|
$s2 = "Yatoed3fe3rex23030am39497403"
|
|
$s3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"
|
|
$s4 = "CommonFile.exe"
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule pos_malware_project_hook
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Project Hook"
|
|
version = "0.1"
|
|
description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
|
|
reference = "759154d20849a25315c4970fe37eac59"
|
|
date = "12/30/2013"
|
|
strings:
|
|
$s1 = "CallImage.exe"
|
|
$s2 = "BurpSwim"
|
|
$s3 = "Work\\Project\\Load"
|
|
$s4 = "WortHisnal"
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule pdb_strings_Rescator
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Target Attack"
|
|
version = "0.3"
|
|
description = "Rescator PDB strings within binaries"
|
|
date = "01/30/2014"
|
|
strings:
|
|
$pdb1 = "\\Projects\\Rescator" nocase
|
|
condition:
|
|
uint16(0) == 0x5A4D and $pdb1
|
|
}
|
|
|
|
rule pos_uploader
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Point of Sale (POS) Malware"
|
|
reference = "http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware"
|
|
version = "0.1"
|
|
description = "Testing the base64 encoded file in sys32"
|
|
date = "01/30/2014"
|
|
strings:
|
|
$s1 = "cmd /c net start %s"
|
|
$s2 = "ftp -s:%s"
|
|
$s3 = "data_%d_%d_%d_%d_%d.txt"
|
|
$s4 = "\\uploader\\"
|
|
condition:
|
|
uint16(0) == 0x5A4D and all of ($s*)
|
|
}
|
|
|
|
rule winxml_dll
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Point of Sale (POS) Malware"
|
|
reference = "ce0296e2d77ec3bb112e270fc260f274"
|
|
version = "0.1"
|
|
description = "Testing the base64 encoded file in sys32"
|
|
date = "01/30/2014"
|
|
strings:
|
|
$s1 = "\\system32\\winxml.dll"
|
|
//$s2 = "cmd /c net start %s"
|
|
//$s3 = "=== pid:"
|
|
//$s4 = "GOTIT"
|
|
//$s5 = ".memdump"
|
|
//$s6 = "POSWDS"
|
|
condition:
|
|
uint16(0) == 0x5A4D and (all of ($s*))
|
|
}
|
|
|
|
rule pos_chewbacca
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Point of Sale (POS) Malware"
|
|
reference = "https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware"
|
|
hashes = "21f8b9d9a6fa3a0cd3a3f0644636bf09, 28bc48ac4a92bde15945afc0cee0bd54"
|
|
version = "0.2"
|
|
description = "Testing the base64 encoded file in sys32"
|
|
date = "01/30/2014"
|
|
strings:
|
|
$s1 = "tor -f <torrc>"
|
|
$s2 = "tor_"
|
|
$s3 = "umemscan"
|
|
$s4 = "CHEWBAC"
|
|
condition:
|
|
uint16(0) == 0x5A4D and (all of ($s*))
|
|
}
|