2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2017-03-09" ,
"extends_uuid" : "" ,
"info" : "OSINT - RawPOS Malware Rides Again" ,
"publish_timestamp" : "1489943413" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1489943379" ,
"uuid" : "58ceba55-4618-4c0d-8dc7-61b102de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00809c" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "veris:asset:variety=\"U - POS terminal\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58ceba5f-2f1c-4552-9630-4bfc02de0b81" ,
"value" : "https://www.cylance.com/en_us/blog/rawpos-malware.html" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "58ceba8b-fdb4-481b-8d10-779502de0b81" ,
"value" : "As part of a recent forensics investigation by the Cylance Consulting Services team, we uncovered some new RawPOS malware. This family of POS malware has been widely documented in operation since 2008. Numerous retail operations of various sizes have been compromised with this malware and its variants.\r\n\r\nRather than rehash old malware, our intent is to discuss \u00e2\u20ac\u02dcsignature fidelity\u00e2\u20ac\u2122 and explain through technical detail why poorly-written signatures give people a false sense of security. This \u00e2\u20ac\u02dcantivirus is dead\u00e2\u20ac\u2122 argument is often presented, but with little technical detail to highlight specifically why this is the case.\r\n\r\nIn our example below, the RawPOS variant went undetected for well over 30 days by a legacy antivirus (AV) vendor. By the time the vendor deployed custom DAT files, the only samples identified were in the quarantine directory of CylancePROTECT\u00c2\u00ae. Fortunately, this customer deployed CylancePROTECT in time and prevented any data exfiltration.\r\n\r\nAt the end of this post, we\u00e2\u20ac\u2122ll provide an updated yara file for identifying all variants of the RawPOS dumper, as well as some sha256 hashes of the new variant." ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "58cebab8-d654-4b21-8eb6-4a5b02de0b81" ,
"value" : "rule RawPOS_dumper\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \"Cylance Inc.\"\r\n\r\n date = \"2017-01-24\"\r\n\r\n description = \"Used to detect all RawPOS RAM dumper(s)\"\r\n\r\n strings:\r\n\r\n $time_func = { 55 8b ec 81 c4 ?? ?? ?? ?? 53 56 57 8b ?? ?? 8b ?? ?? 6a 00 e8 ?? ?? ?? ?? 59 a3 ?? ?? ?? ?? 6a 00 e8 ?? ?? ?? ?? 59 3d ?? ?? ?? ?? 7e ?? 33 c0 e9 ?? ?? ?? ??}\r\n\r\n $enum_proc_func = { 55 8b ec 81 c4 ?? ?? ?? ?? 50 81 c4 ?? ?? ?? ?? 53 56 57 be c8 b9 42 00 8d ?? ?? ?? ?? ?? b9 41 00 00 00 f3 ?? 8d ?? ?? 50 68 a0 0f 00 00 8d ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ??}\r\n\r\n $open_proc_func = { 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8d ?? ?? 50 6a 04 8d ?? ?? 52 56 e8 ?? ?? ?? ?? 85 c0 74 ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 51 ff ?? ?? 56 e8 ?? ?? ?? ?? 56 e8 ?? ?? ?? ??}\r\n\r\n condition:\r\n\r\n $enum_proc_func or $time_func or $open_proc_func\r\n\r\n}"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58cebad4-418c-48a5-aaa6-779302de0b81" ,
"value" : "a2e720a2c538347144aee50ae85ebfdaf3fdffcfc731af732be5d3d82cd08b18"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58cebad5-3ed8-4ef1-bd72-779302de0b81" ,
"value" : "fe8637ef9be609951aa218942d46a535ba771236668a49a84512b18b02e9fbee"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58cebad6-0594-4e72-b49c-779302de0b81" ,
"value" : "0ca08c10a79cddbb359354f59ba988e77892e16dce873b5ba8e20eb053af8a18"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58cebad7-0370-4bc4-88c6-779302de0b81" ,
"value" : "4bd1cc0a38117af7d268c29592ef754e51ce5674e26168c6bb613302f3c62fb8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943379" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58cebad8-8580-4b24-aad8-779302de0b81" ,
"value" : "967fcbc7abcb328afb1dbfd72d68636c478d7369e674d622799b8dfd66230112"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: 967fcbc7abcb328afb1dbfd72d68636c478d7369e674d622799b8dfd66230112" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943387" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58cebb5b-4f98-4550-8ff3-489d02de0b81" ,
"value" : "72b324a752f73c97296e379ff0a19352ab1bd333"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: 967fcbc7abcb328afb1dbfd72d68636c478d7369e674d622799b8dfd66230112" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943388" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58cebb5c-e694-4eb4-96b1-475502de0b81" ,
"value" : "92d6d8a64d06ce87b2711f3711ebcf9a"
} ,
{
"category" : "External analysis" ,
"comment" : "New Variant - Xchecked via VT: 967fcbc7abcb328afb1dbfd72d68636c478d7369e674d622799b8dfd66230112" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943389" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58cebb5d-583c-44d3-ae7e-4db802de0b81" ,
"value" : "https://www.virustotal.com/file/967fcbc7abcb328afb1dbfd72d68636c478d7369e674d622799b8dfd66230112/analysis/1489006314/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: 4bd1cc0a38117af7d268c29592ef754e51ce5674e26168c6bb613302f3c62fb8" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943389" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58cebb5d-6bb8-4279-8487-404202de0b81" ,
"value" : "3f02081e0b6a56e56bb946fbed42bc775a80613e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: 4bd1cc0a38117af7d268c29592ef754e51ce5674e26168c6bb613302f3c62fb8" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943390" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58cebb5e-fd44-4f79-9c96-47ed02de0b81" ,
"value" : "81bcb41c37fac427eda59ac121056b39"
} ,
{
"category" : "External analysis" ,
"comment" : "New Variant - Xchecked via VT: 4bd1cc0a38117af7d268c29592ef754e51ce5674e26168c6bb613302f3c62fb8" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943391" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58cebb5f-8be8-4b56-9542-482702de0b81" ,
"value" : "https://www.virustotal.com/file/4bd1cc0a38117af7d268c29592ef754e51ce5674e26168c6bb613302f3c62fb8/analysis/1484975136/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: 0ca08c10a79cddbb359354f59ba988e77892e16dce873b5ba8e20eb053af8a18" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943392" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58cebb60-290c-46b2-840b-447602de0b81" ,
"value" : "b5eead5b1c050f45127c4fe3ba63125f522b0a9c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: 0ca08c10a79cddbb359354f59ba988e77892e16dce873b5ba8e20eb053af8a18" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943393" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58cebb61-de18-4e5d-b1ab-4ce502de0b81" ,
"value" : "1a0cc9846a6d6499b4c264b49edc9115"
} ,
{
"category" : "External analysis" ,
"comment" : "New Variant - Xchecked via VT: 0ca08c10a79cddbb359354f59ba988e77892e16dce873b5ba8e20eb053af8a18" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943394" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58cebb62-4e44-4cf0-8a4e-45d102de0b81" ,
"value" : "https://www.virustotal.com/file/0ca08c10a79cddbb359354f59ba988e77892e16dce873b5ba8e20eb053af8a18/analysis/1485335247/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: fe8637ef9be609951aa218942d46a535ba771236668a49a84512b18b02e9fbee" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943395" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58cebb63-5c94-4bb4-806f-4e6a02de0b81" ,
"value" : "c2f1f25f78cfaf1a9367d54f2af69b220a203cff"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: fe8637ef9be609951aa218942d46a535ba771236668a49a84512b18b02e9fbee" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943395" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58cebb63-00c8-4d1f-a776-46a702de0b81" ,
"value" : "8f9aa638e9bffd76b3764e726abfa9a6"
} ,
{
"category" : "External analysis" ,
"comment" : "New Variant - Xchecked via VT: fe8637ef9be609951aa218942d46a535ba771236668a49a84512b18b02e9fbee" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943396" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58cebb64-a100-42db-82de-4e9302de0b81" ,
"value" : "https://www.virustotal.com/file/fe8637ef9be609951aa218942d46a535ba771236668a49a84512b18b02e9fbee/analysis/1480241460/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: a2e720a2c538347144aee50ae85ebfdaf3fdffcfc731af732be5d3d82cd08b18" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943397" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "58cebb65-08ec-4bb5-a386-4e4402de0b81" ,
"value" : "787a7acba4aa7463d86a52b2d9afd95e568911ab"
} ,
{
"category" : "Payload delivery" ,
"comment" : "New Variant - Xchecked via VT: a2e720a2c538347144aee50ae85ebfdaf3fdffcfc731af732be5d3d82cd08b18" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943398" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "58cebb66-0e6c-4d85-995d-4cc402de0b81" ,
"value" : "8673b3749bfbb9665d1c065333e184bb"
} ,
{
"category" : "External analysis" ,
"comment" : "New Variant - Xchecked via VT: a2e720a2c538347144aee50ae85ebfdaf3fdffcfc731af732be5d3d82cd08b18" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1489943399" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58cebb67-41b4-40d8-91fb-45f502de0b81" ,
"value" : "https://www.virustotal.com/file/a2e720a2c538347144aee50ae85ebfdaf3fdffcfc731af732be5d3d82cd08b18/analysis/1489006314/"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}