BlackPOS: Targets Point Of Sale Malware Version 2

October 3, 2014

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: BlackPOS.B actively spreading in the wild. This is the new Variant of Popular Target Data Breach Gav: BlackPOS.A last December as well as the breach at Home Depot earlier this month.

These variations have been seen as far back as February 2013 and continue to operate as September 2014. BlackPOS malware typically has the capability such as scraping memory to retrieve Credit Card Data more efficiently by ignoring specific processes during its scan.

Infection Cycle:

Md5: b57c5b49dab6bbd9f4c464d396414685

The Trojan adds the following files to the system:

%SystemRoot%t.bat [Executable Bat file]

%SystemRoot%McTrayErrorLogging.dll [Contains Data scrapped from memory]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:


The Trojan has the multi command Functions such as following arguments:

Usage: -[start|stop|install|uninstall]

The Trojan has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:

The dropper t.bat copies the contents of McTrayErrorLogging.dll to t:tempdotnetNDP45-KB2737084-x86.exe. Its used Net Commands on Cmd.exe to open a shared machine using a specific user to transfer the file. It contains the following commands:

POS Memory Scraping:

BlackPOS retrieve all processes lists; one of the injected malicious code threads is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software, for enumerate POS process attackers uses API functions calls such as following APIs list:

  • CreateToolhelp32Snapshot
  • Process32First
  • Process32Next
  • OpenProcess
  • ReadProcessMemory

Here is an Example of Credit Card Number Captured by Malware

Here is Encrypted data format saved into McTrayErrorLogging.dll

The Malware contains URL links referring to the United States involvement in political conflicts around the world

Command and Control (C&C) Traffic

BlackPOS has the C&C communication over port 445. Uses requests to statically defined IP/Domains are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • BlackPOS.B