Nytro Posted September 5, 2013 Report Posted September 5, 2013 [h=3]Point-of-Sale Malware: Infostealer.Dexter[/h] Haven't posted since a while so let's do something... Back on some old material, due to a 'recent' compromission of off-sho.re servers, and the circulation between AVs of Cyberbunker sinkholes logs. (Especially the Alina connections was interesting, but that not the topic)Did you remember Dexter ? nah not the TV Series, but the PoS Malware. Systems infected by Dexter are various in our case (gas stations, pawn shops, logistics, luxury shops, doctors, clinics, pharma, labs, etc...)This malware was coded by a guys know as 'dice' (there was an advert on Darkode made by him around November 2012 if i remember, but he requested an admin to remove the thread so it's not anymore available)Visa USA have released an alert one month after. Sample who come from the compromised server: Let's see so, i will avoid you the Visual Basic 6 unpacking step, if you want the hashs.Original: bb0b17c2f66a868cf1e8a46626366a32Depack: e74593552b66a4638b80a4fbf2fb7438Create a mutex: Determine if we are under x64: Creat a suspended process of IE: Copy the EXE in memory: WriteProcess Memory on Internet Explorer with the content of the exe: Then he a do a CreateRemoteThread on IE and ExitThread on this process. Ok, what's happend with the injected IE ?I've patched the executable by taking some jumps he have not took at the begining to make it think we are in IE and see what's happend.Create a subkey 'HelperSolutions Software': Create a folder %APPDATA%/Java Security Plugin then CopyFile and do a DeleteFile on the original exe. Do a RegCreateKey/RegSetValue/RegCloseKey with 'digit' as registry entry and 'cc98afca-1a04-4c5d-80cf-1cc78244b63e' as value for me. Create a registry persistance 'Sun Java Security Plugin': Do the same but this time in HKCU: Create another registry entry but this time:HKCU Software\Microsoft\Windows\CurrentVersion\Policies\AssociationsWith 'LowRiskFileTypes' and '.exe;.bat;.reg;.vbs;' as value The 'Policies\Associations' subkey lets you manage the default risk level for file attachments (Low-risk/Medium-risk/High-risk file types)The attachment manager in windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet.Edit a value at HKCU: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0Registry entry '1806' and '0' as value '1806' is the registry entry about launching applications and unsafe files in internet explorer.The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action.Do the same operation but in HKLM this time: The file initialyse a thread: Extract a ressource: Create a DLL 'SecureDll.dll' with the extracted ressource and attribute Hidden: Load the dll: Create a path: Create a reg key at Software\HelperSolutions Software'val1' and with value 'C:\Documents and Settings\Administrateur\Bureau\strokes.log' Create a second reg key at Software\HelperSolutions Software 'val2' and with value 'C:\Documents and Settings\Administrateur\Bureau\tmp.log' Hook the keyboard: Refer to the MSDN for explanation: Okay... let's have a look on what's this SecureDll.dll do, seem it's not that secure.Look for previous reg key: val1 and val2. Look for some specific process who run on the system: Here is a list:wmiprvse.exe (Microsoft Windows Management Instrumentation) LogonUI.exe (Windows LogOn User Interface)svchost.exe (Service Host Process)iexplore.exe (Internet Explorer)explorer.exe (generic Windows process)System (Internal Windows system process)smss.exe (Session Management Subsystem)csrss.exe (Client/Server Runtime Subsystem)winlogon.exe (Windows LogOn Process)lsass.exe Local (Security Authority Subsystem Service)spoolsv.exe (Printer Spooler Service)alg.exe (Application Layer Gateway)wuauclt.exe (Windows Update client for WindowsME)firefox.exechrome.exedevenv.exe (Microsoft Visual Studio)Then he start to open process and look for track1/2/3 And when finaly something is detected: Make it as string: After looking at all process he will create some threads: The first will just do a new scan of process.Second thread make sure everything is ok with the registry key 'run'Tree do a loop4 detect if the pc will got shutdown (i've not looked but DetectShutdownClass seem enought explicit)Then he start to enter in a procedure to call home: Get user name: Get the computer name: Get the OS version: Architecture: Retrieve the string used to identify the machine who was stored on the registry database(cc98afca-1a04-4c5d-80cf-1cc78244b63e)Open strokes.log and read it Then Delete it: Read the content of tmp.log: Enter in a decode routine: Create a file Debug.log: Write it: And delete tmp.log: Take our hwid and enter on the routine to code it: Then he will do that again but with the process name he grabbed tracks info, take also pc infos etc... From the original source code: At the end we have a huge strings like:page=RUUZTk9FSURRTk1OHVFIGBhJUUQYRUpRSkQaTUwYSUhNTx0f&ump=ACgZHREqFRkLGQ4jLxkOChUfGVIZBBlGR0hNTU1NTU1NTU1NTU1NTU1BTU9MS01MTUxMTExMTExMTExKSkpDWT5ITU1NTU1NTU1NTU1NTU1NIiQlMDU+MyRTMD0+L1wxLiJNT0xLTUxNTExMTExMTExMTExMTExMTExMTExKSkpMTEC&C domain and gate path are given via pointers due to the internet explorer injection. After having called the gateway, then Dexter do a 600000 ms sleep (10 mins): And do the shit again, then re-call home each 10 mins. Now about the C&C responses, i noticed these actionsupdate-chekin:scanin:unistalldownload-I've not searched how works the following commands, Josh Grunzweig of SpiderLabs already explained it.So... enough boring reversing infos, let's have a look on the panel now.Login: Dashboard: More than 3000 bots, most of them are commercial machines.Like Alina, Dexter use colors code, dead bots appear in red and recent dead bots in blue: Dumps (stolen credit cards): Keylogger logs (here, that seem to be a UPS dispatch center, or something like this): Process viewer (not working): Another but small Dexter panel: I've found also an older version of Dexter, i thought it was Alina at first but nope, Dexter v1: Dashboard: Dumps: Bots: Process list (this time it work): Uploader was not found due to a programming error: Dexter 'v2' C&C structure: Just ignore the 'installer' folder that something homemade for a video .Get track type function: That even grab track3. 600 posts reached Posted by Steven K at 23:09 Sursa: XyliBox: Point-of-Sale Malware: Infostealer.Dexter Quote
ron2121 Posted November 17, 2014 Report Posted November 17, 2014 alina source code please build a new posgrabber for this forum Web.rar download - 2shared Quote
