Malware attacking POS systems

Jump to navigation Jump to search

(Publication) Google search: [1]

Malware attacking POS systems
Botnet Dexter
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / 2012-12-19
Editor/Conference Hexacorn
Link (Archive copy)
Author Adam Blaszczyk


Recently there has been quite a lot of technical posts about RAM scrappers targeting Point Of Sale (POS) systems i.e. malware stealing track data directly from memory of the systems involved in processing of credit cards within the Payment Card Industry (PCI). I am speaking – of course – about Dexter malware. You can find selected (good, technical and informative) articles covering this particular malware here: Verizon, Seculert, Volatility Labs, Trustwave.

It’s good to see that the actual samples are now being either shared publicly or at least discussions about their internals are becoming available for a public eye. Xylitol is definitely leading here as he has been talking about this topic and specific samples a few times this year (example here and here), and sporadically, some of the PFI companies write a blog or two, or present their findings on security conferences. One thing worth to mention here is that some ‘juicy’ knowledge about specific RAM scraping samples has been shared many times in the past, but it has never gained as much exposure as it probably should e.g. many hashes of RAM scrapers have been mentioned in public advisories from card schemes e.g. here, here, and here. Still, access to the actual samples is very limited plus the hashes of samples keep changing (they are often recompiled for each new compromise).


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1270,
   editor = {Hexacorn},
   author = {Adam Blaszczyk},
   title = {Malware attacking POS systems},
   date = {19},
   month = Dec,
   year = {2012},
   howpublished = {\url{}},