Global Cyber Security Company

Exclusive -Details on Investigation of Group-IB on new age of POS malware

03.04.2013, Moscow Group-IB: New age of POS malware – cashpoints are in the hacker’s interest, major US banks are compromised

According to the statistics of Group-IB, one of the leading security and computer forensics company, modern cybercriminals started to use specific malware for ATMs and POS for targeted attacks.

Most of them are organized with help of insiders in face of staff, who has access to the POS to maintain or update it’s software locally. Only few infections were detection with help of targeted remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

Previously McAfee security researcher, Chintan Shah, has notified the banking community about vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them.

At the end of 2012, Israel based company Seculert notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Several days ago, Group-IB has found new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without use of any additional libraries. IT supports all Microsoft Windows versions including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit cards data.

dump memory_grabber1

The malware has own intellectual functions to delete third-party information to make the POS malware logs only with compromised credit cards data

According to the description of the author, it adds itself to the autorun with default timeout in 3 hours. The log with intercepted dumps is transferred through FTP gateway with the date. This variant can be changed on e-mail notification upon customers request.

dump memory_grabber_adminpanel2

Dump Memory grabber Admin Panel

Group-IB and it’s CERT (CERT-GIB) has found private video with demonstration of admin panel of this new POS malware.

dump memory_grabber2_purged

Customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware, here are some segments of the data extracted from the uploaded video on one of the most famous underground forums:

In the following image an exclusive screensot related to thousands of credit cards were compromised, the screenshot of «BlackPOS» admin panel, 23th March 2013


About Group-IB
Group-IB is Russia and the CIS’s (Commonwealth of Independent States) leading computer security company, specializing in the investigation of computer crime, information security breaches, computer forensics, and global threat intelligence gathering. On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. CERT-GIB provides the client with comprehensive support in minimizing informational risks, consisting of technical, organizational, and legal advice. Group-IB has residency at the Skolkovo Innovation Center. As part of the Skolkovo innovative projects, Group-IB is creating The CyberCop, a global counter-cybercrime system. The system is an effective tool which will allow the law enforcement agencies in Russia and around the world to combat cybercrime during the most difficult stages of the investigative process: evidence gathering, information analysis, and perpetrator finding.

Contact Us:

+1 917 809-47-41

More information