{ "Event": { "analysis": "2", "date": "2016-06-17", "extends_uuid": "", "info": "OSINT - Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software", "publish_timestamp": "1466239298", "published": true, "threat_level_id": "3", "timestamp": "1466237887", "uuid": "5764778a-fdfc-43c0-9fcc-4166950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#3b7500", "name": "circl:incident-classification=\"malware\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1466202010", "to_ids": false, "type": "link", "uuid": "5764779a-8454-4160-aaa4-42e0950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1466202025", "to_ids": false, "type": "comment", "uuid": "576477a9-4bf0-4ae9-b31d-4b5f950d210f", "value": "Much attention has been focused recently on ransomware and other threats that go after consumers and businesses directly for monetary payouts. Still, point-of-sale (POS) malware continues to be an important source of stolen credit card data and associated revenue for cyber criminals.\r\n\r\nThe ongoing rollout of chip-and-pin credit cards and tighter standards following the retail megabreaches of 2014 have put further pressure on the POS malware black market. But as we have seen with the AbaddonPOS malware described here, POS malware is not just alive and well\u00e2\u20ac\u201dit\u00e2\u20ac\u2122s being actively developed.\r\n\r\nOn May 5, a financially motivated actor whom Proofpoint has been tracking as TA530 (also featured in our previous blog post \"Phish Scales\" [1]) sent out a highly-personalized email campaign targeting primarily retail companies and attempting to install TinyLoader and AbaddonPOS point-of-sale malware. The retail vertical was likely chosen due to the higher likelihood of infecting a POS system. We first observed AbaddonPOS when it was delivered by Vawtrak [2] in October of 2015. We have also found that TinyLoader and AbaddonPOS have since been updated in several ways." }, { "category": "Payload delivery", "comment": "Example macro document", "deleted": false, "disable_correlation": false, "timestamp": "1466237541", "to_ids": true, "type": "sha256", "uuid": "57650265-6c8c-4de8-9e7f-41f1950d210f", "value": "7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0" }, { "category": "Payload delivery", "comment": "Initial TinyLoader download", "deleted": false, "disable_correlation": false, "timestamp": "1466237541", "to_ids": true, "type": "sha256", "uuid": "57650265-8e60-4a78-8c8b-4349950d210f", "value": "e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace" }, { "category": "Payload delivery", "comment": "TinyLoader update", "deleted": false, "disable_correlation": false, "timestamp": "1466237541", "to_ids": true, "type": "sha256", "uuid": "57650265-7d44-4b05-bcf2-43d8950d210f", "value": "b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734" }, { "category": "Payload delivery", "comment": "AbaddonPOS", "deleted": false, "disable_correlation": false, "timestamp": "1466237542", "to_ids": true, "type": "sha256", "uuid": "57650266-9f34-41c8-8b36-4361950d210f", "value": "24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312" }, { "category": "Network activity", "comment": "On port 30010 TinyLoader C2", "deleted": false, "disable_correlation": false, "timestamp": "1466237596", "to_ids": true, "type": "ip-dst", "uuid": "5765029c-639c-4645-9c9a-40d7950d210f", "value": "50.7.124.178" }, { "category": "Network activity", "comment": "On port 50010 TinyLoader C2", "deleted": false, "disable_correlation": false, "timestamp": "1466237596", "to_ids": true, "type": "ip-dst", "uuid": "5765029c-8754-4b3f-85fd-4867950d210f", "value": "85.93.5.136" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1466237628", "to_ids": true, "type": "mutex", "uuid": "576502bc-60a4-45c3-a48e-4b92950d210f", "value": "CHAMEL1ON" }, { "category": "Network activity", "comment": "Example TinyLoader download", "deleted": false, "disable_correlation": false, "timestamp": "1466237730", "to_ids": true, "type": "url", "uuid": "57650322-21fc-4640-b114-428f950d210f", "value": "http://dolcheriva.com/img/del/a/cg-bn/word.exe" }, { "category": "Network activity", "comment": "Example TinyLoader update download", "deleted": false, "disable_correlation": false, "timestamp": "1466237730", "to_ids": true, "type": "url", "uuid": "57650322-c9e0-4067-ba78-41ed950d210f", "value": "http://50.7.124.178/file.e" }, { "category": "Network activity", "comment": "Example AbaddonPOS download", "deleted": false, "disable_correlation": false, "timestamp": "1466237730", "to_ids": true, "type": "url", "uuid": "57650322-a190-499b-9450-4f03950d210f", "value": "http://85.93.5.136/ZRH4J2/P_KYJ3gxEhTpasmJxz.d" }, { "category": "Payload delivery", "comment": "AbaddonPOS - Xchecked via VT: 24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312", "deleted": false, "disable_correlation": false, "timestamp": "1466237887", "to_ids": true, "type": "sha1", "uuid": "576503bf-05ec-4c41-9dbb-424302de0b81", "value": "00a46a475d56b0e56e0522d6736330935aa64984" }, { "category": "Payload delivery", "comment": "AbaddonPOS - Xchecked via VT: 24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312", "deleted": false, "disable_correlation": false, "timestamp": "1466237887", "to_ids": true, "type": "md5", "uuid": "576503bf-fba0-457a-8f9b-45d302de0b81", "value": "e4709fb8bc86334096093f3c6a181caa" }, { "category": "External analysis", "comment": "AbaddonPOS - Xchecked via VT: 24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312", "deleted": false, "disable_correlation": false, "timestamp": "1466237887", "to_ids": false, "type": "link", "uuid": "576503bf-1428-4318-9e61-4bbe02de0b81", "value": "https://www.virustotal.com/file/24e39756c5b6bdbdc397dabde3ece587cdb987af9704d5e5329e00b5b2aaa312/analysis/1463379262/" }, { "category": "Payload delivery", "comment": "TinyLoader update - Xchecked via VT: b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734", "deleted": false, "disable_correlation": false, "timestamp": "1466237887", "to_ids": true, "type": "sha1", "uuid": "576503bf-8798-454c-a17e-4c7c02de0b81", "value": "87bbed4e4dcab272097ce13d44676c0e7b297762" }, { "category": "Payload delivery", "comment": "TinyLoader update - Xchecked via VT: b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734", "deleted": false, "disable_correlation": false, "timestamp": "1466237888", "to_ids": true, "type": "md5", "uuid": "576503c0-f4a0-48ec-9328-412702de0b81", "value": "073c4a79ea91e463662fc6bddc1b86e4" }, { "category": "External analysis", "comment": "TinyLoader update - Xchecked via VT: b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734", "deleted": false, "disable_correlation": false, "timestamp": "1466237888", "to_ids": false, "type": "link", "uuid": "576503c0-3f80-428c-afce-499b02de0b81", "value": "https://www.virustotal.com/file/b30ee5185c7f649da42efabe9512d79adcaa53f3f3647e0025b7c68bf7cc8734/analysis/1463397647/" }, { "category": "Payload delivery", "comment": "Initial TinyLoader download - Xchecked via VT: e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace", "deleted": false, "disable_correlation": false, "timestamp": "1466237888", "to_ids": true, "type": "sha1", "uuid": "576503c0-f908-4e8a-ad51-420d02de0b81", "value": "8ecc4a4b2ecef4d59928a2a4a2096073358b630c" }, { "category": "Payload delivery", "comment": "Initial TinyLoader download - Xchecked via VT: e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace", "deleted": false, "disable_correlation": false, "timestamp": "1466237888", "to_ids": true, "type": "md5", "uuid": "576503c0-ceb8-470c-86d4-4fdc02de0b81", "value": "fac14aedb6a7fc0ec24274b0faf3fa43" }, { "category": "External analysis", "comment": "Initial TinyLoader download - Xchecked via VT: e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace", "deleted": false, "disable_correlation": false, "timestamp": "1466237888", "to_ids": false, "type": "link", "uuid": "576503c0-4d08-44ba-82e4-4e5e02de0b81", "value": "https://www.virustotal.com/file/e5fbfd61b19561a4c35d1f7aa385f4ca73a65adb2610504398e4ca47c109bace/analysis/1465218852/" }, { "category": "Payload delivery", "comment": "Example macro document - Xchecked via VT: 7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0", "deleted": false, "disable_correlation": false, "timestamp": "1466237889", "to_ids": true, "type": "sha1", "uuid": "576503c1-0588-4197-a7c2-483102de0b81", "value": "aa8f7ecefa5a2016abc5772bef0081739bfc592c" }, { "category": "Payload delivery", "comment": "Example macro document - Xchecked via VT: 7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0", "deleted": false, "disable_correlation": false, "timestamp": "1466237889", "to_ids": true, "type": "md5", "uuid": "576503c1-b33c-4bc5-8642-4a6402de0b81", "value": "65cc003a511c398c4aae145e883d0821" }, { "category": "External analysis", "comment": "Example macro document - Xchecked via VT: 7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0", "deleted": false, "disable_correlation": false, "timestamp": "1466237889", "to_ids": false, "type": "link", "uuid": "576503c1-8554-46d7-86d5-4a8802de0b81", "value": "https://www.virustotal.com/file/7dc57aef76a1ddb5eef7bfd1a1350e1e951b5f216bfc805f51796545d04d80a0/analysis/1464788426/" } ] } }