Abaddon POS malware targets PoS terminals
The Dell Sonicwall Threats Research team observed reports of a new POS family named GAV: Abaddon.POS actively spreading in the wild. Abaddon POS malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.
Infection Cycle:
Md5:
5bf979f90307bac11d13be3031e4c6f9 Detected as GAV: Abaddon.POS (Trojan)
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Chrome”=”%Userprofile%Malware.exe
Abaddon POS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.
The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:
CreateToolhelp32Snapshot
Process32First
Process32Next
OpenProcess
Here is an example of scraping the memory by malware:
The malware tries to verify Credit Cards and then sends this information in encrypted format to one of the given C&C Servers such as following domains:
91.234.34.44
50.7.138.138
149.154.64.167
5.8.60.23
176.114.0.165
Command and Control (C&C) Traffic
Abaddon POS performs C&C communication over port 20970.
The malware sends your Credit Card information to its own C&C server via following format, here are some examples:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
GAV: Abaddon.POS
GAV: Abaddon.POS_2
Here is a list of samples we identified:
0c77886a3ea42b75fcd860d4d97e72c5
1c02f2f3fa15cc6a472119389d25983e
1c2a757c63ee418135e89cc8ef0d6e63
2b3704e0acbcbc265d0d08502a9bf373
3a7ac0c907b2c406ab480d4ed2f18161
3f71031ce8ecb0f48847ccb8be86a5fe
47e5c290f3f443cca027aa344cbf194f
4b86cbb2e9f195bef3770d877206068d
54f1cda856ae921846e27f6d7cc3d795
6ee164908a94a881032d0649e2bd2505
6f7fabeb9ce76a1d52dbf5a40cbc74e8
77f124332a17b3ef6c0b6a799ad0c888
7b7ffdd46d1f7ccea146fd9d5a2412ae
7c69dc17977b3431ff15c1ae5927ed0d
7eddbf17a3d1e398621194b0f22402a7
885829081f91c6baf458166c3f42e281
89a19ccb91977d8b1a020f580083d014
8d6d7a7d77215370d733bda57ef029f4
8df542e35225e0708cd2b3fe5e18ac79
9320175f8af07503a2b2eb4d057bac07
9b340ac013c052ffb2beb29d26009a24
a1d1ba04f3cb2cc6372b5986fadb1b9f
a3ea1a008619687bdfef08d2af83f548
a53d8212a47bf25eeca87c1e27042686
a7a666ab9548fd1f0a8eb8050d8ca483
a9cc6736e573ad9e77359062e88114e2
aaac35389c9be79c67c4f5c4c630e5d5
b3a057f55a8fa2aad5b8d212a42b4a88
bcf271e83c964eb1fd89e6f1a7b7a62f
c42f20e2a68b8829b52b8399b7b33bf2
d785592932323f6ddaa121bcdcbceba0
e08aeb0bfcbae33b851af9f8be413111
e92254f9ce7d6f45e907e77de146ef37
ec322598eec364a755b5aea70d2a2da8
5bf979f90307bac11d13be3031e4c6f9
a168fef5d5a3851383946814f15d96a7
a55843235cd8e36c7e254c5c05662a5b
1c19494385cb21b7e18252b5abd104f6
2b58f7cb4df18509a743226064b30675
752dcae6eb492263608a06489546098f
976275965fcf19a98da824b1959500c1
227e6b1f3e66f00a4fc683d4f39da904
8ca1278e2821fd2dd19c28725f754577
ac03e0e9f70136adede78872e45f6182
12cd4df2264624578919596371edee81
317f9c57f7983e2608d5b2f00db954ff
f63e0a7ca8349e02342c502157ec485d
0900582ba65c70a421b5d21d4ed21f16
4b0db5398f02dae5315f0baff1475807
703f492b2624899ec47b929f65265bbb
5e33b1273b2e2d4cd0986b9873ab4bc4
d11c4a4f76b2bea502b80229a83c30bc
e50edb61e796c6ead88cac53719e2d00
dc1a975e20eca705c6c78dc24f1290b5
6a6977ea317f0240a3dacc0753257518
5e06563f6303eab10c3cd46f0fd5c2d6
7ef654cdc7c2b54772400e26eb292caf
946be7ddd511ff9f49b5073896346eab