Exclusive -Details on Investigation of Group-IB on new age of POS malware

By Pierluigi Paganini, Editor-in-Chief

Group-IB: New age of POS malware – cashpoints are in the hacker’s interest, major US banks are compromised

According to the statistics of Group-IB, one of the leading security and computer forensics company, modern cybercriminals started to use specific malware for ATMs and POS for targeted attacks.

Most of them are organized with help of insiders in face of staff, who has access to the POS to maintain or update it’s software locally. Only few infections were detection with help of targeted remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

Previously McAfee security researcher, Chintan Shah, has notified the banking community about vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them.

At the end of 2012, Israel based company Seculert  notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Several days ago, Group-IB has found new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without use of any additional libraries. IT supports all Microsoft Windows versions including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit cards data.


Pic.1 – the malware has own intellectual functions to delete third-party information to make the POS malware logs only with compromised credit cards data

According to the description of the author, it adds itself to the autorun with default timeout in 3 hours. The log with intercepted dumps is transferred through FTP gateway with the date. This variant can be changed on e-mail notification upon customer’s request.


Dump Memory grabber Admin Panel

 Group-IB and its CERT (CERT-GIB) has found private video with demonstration of admin panel of this new POS malware.


Customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware, here are some segments of the data extracted from the uploaded video on one of the most famous underground forums:

In the following image an exclusive screenshot related to thousands of credit cards were compromised, the screenshot of «BlackPOS» admin panel, 23th March 2013

black pos

During the investigation it was found out that the author might be from Russian Federation, because of language and the interesting factor in the video which is very hard to detect – close to 01:44 it is appeared the link on internal messaging system of one of the most famous social networks in Russia – Vkontake.ru.


Pic. 3 – The author of the following POS malware and the link on Vkontakte profile during the POS malware admin panel demonstration

It seems to be that the hacker was communicated with one of his friends through Vkontakte and forgot to close the active Internet Browser window. Profiling on the Vkontakte ID (http://vk.com/id93371139) disclosure us the person under anonymous nick “Wagner Richard”.


Pic.4 – The author of the malware uses anonymous nickname in Vkontakte for communication with his friends

The hacker mention the link on the group for orders on DDoS-attacks, which can characterize him as one of the persons involved into big cybercrime gang.


Pic. 5 – Anonymous group in social network for the orders on DDoS attacks (http://vk.com/the_ddos_attack )

Previously, they set up several similar groups related to DDoS attacks, but all of them were banned before.


Pic. 6 – 7 persons are members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group

The above picture reports 7 members of the detected cybercriminals group, including the author of the POS malware with nick «Wagner Richard», he is acting as administrator of the group, the 8th member was found by «Likes» section.

Fb 2

Pic. 7 – the full disclosure of the members, most of them are belong to russian hacktivism activities related to Anonymous group, which was actively shown in russian mass-media during the election of the President

The 8th member was found by «Likes» section.

dos atack

Pic. 8 – the 8th member was found by «Likes» section

The pricing on DDoS attack from the gang is started from 2 USD per hour, which is absolutely shocking (22 USD – per day, 220 USD – per week), also it is mentioned that they trade private DDoS bot for 800 USD.


According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard).

hck 3

Pic. 9 – According to the service specification, the hackers also use techniques to bypass anti-ddos services protection such as QRator, Cloudfare, Cisco Guard)

According to the profiling, Group-IB said that all the involved hackers are less then 23 years, which proofs that youth is involved into the most of cybercrimes.

«We have found one of the C&C for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue» – said Andrey Komarov, the head of international projects, CERT-GIB CTO.

(Sources : Security Affairs – Cybercrime)

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.