Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro Senior Threat Researchers

    We have been able to identify a new point-of-sale (PoS) malware family that has affected more than 100 victim organizations in Brazil. We have dubbed this new malware family as “FighterPOS”. This name is derived from BRFighter, the tool used by the author to create this new threat. This one-man operation has been able to steal more than 22,000 unique credit card numbers.

    Its creator appears to have had a long history in carding, payment scams, and malware creation; in addition we believe that this malware author acted independently and without any accomplices or associates. FighterPOS is not cheap. It is currently priced at 18 bitcoins (currently worth around US$5,250). However, its control panel is well-designed and it supports a wide variety of features that may be useful to attackers.

    This blog post outlines the behavior of FighterPOS, with more technical details available in our paper entitled FighterPOS: The Anatomy and Operation of a New POS Malware Campaign.


    At first glance, the advertisement is not particularly unusual. What piqued our interest was the professional nature of the ad and the malware’s supported features.

    Figure 1. Advertisement selling FighterPOS
    (Click to enlarge)

    The control panel and malware is currently being sold for 18.3823 BTCs, or roughly US$5,250. While this may seem expensive, the opportunity to make that money back is relatively easy. The buyer could potentially resell each credit card received right away, or use it at a later time. If the buyer wants an additional executable and panel instance, the author charges an additional US$800.

    Figure 2. FighterPOS Control Panel

    The author, who went by the username cardexpertdev, clearly stated in the ad that the executable is not fully undetectable (FUD), stating that the individual will need to use a crypting service to ensure the malware is undetectable by antivirus scanners. This is common when PoS malware is created, and crypting services are traditionally required to bypass many defensive security controls.

    FighterPOS was not the only product related to credit card fraud that cardexpertdev was selling. He was also selling credit card numbers, EMV chip recorders, and other similar fraud-related products and tools to other cybercriminals.


    Data obtained from the C&C servers indicate that FighterPOS has infected approximately 113 PoS terminals, more than 90% of which were found in Brazil. Evidence of system infection in other countries, including the United States, Mexico, Italy, and the United Kingdom was also found.

    Figure 3. Distribution of FighterPOS-affected machines

    Together, the infected systems have sent 22,112 unique credit card dumps for a single month (late February to early April) to the FighterPOS operator. Many of the victims of FighterPOS are users of Linx MicroVix or Linx POS systems – both popular software suites in Brazil.

    FighterPOS Functionality

    The functionality of FighterPOS is similar to other PoS malware families we’ve seen in the past. It is capable of collecting credit card track 1, track 2, and CVV codes. The malware also contains a RAM scraping functionality, commonly seen in many PoS malware families. Additionally, its keylogger functionality allows the attacker to log all keystrokes on the infected terminal. The code for the RAM scraping functionality is similar to that found in NewPosThings.

    Two malware samples that gained our attention were IE.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809, detected as TSPY_POSFIGHT.SM) and IEx.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809), which both connect to the C&C server located at hxxp://

    Both of the samples are written in Visual Basic 6. Although Visual Basic 6 is considered outdated and antiquated, applications written in this language still work, even on fully patched systems.

    One may ask why a “new” PoS malware family is built on such an old platform as Visual Basic. We believe that this is because FighterPOS code is not entirely new. Instead, the vnLoader malware (designed for botnets) was modified to add PoS-specific features. It retains its botnet-oriented capabilities, which include:

    • Malware auto-update
    • File download and execution
    • Sending out credit card data
    • Sending out keylogged data
    • Layer 7 or layer 4 DDoS attacks

    The DDoS capability effectively turns this POS family into a very flexible and attractive tool for prospective buyers.


    FighterPOS is a full-featured piece of malware, carefully developed using strong encryption. It supports multiple ways to talk with its C&C infrastructure. Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines. We currently estimate that each infected machine sends back ten new credit card numbers to the attackers.

    We are continuously evaluating this threat, and are still performing research not only on the malware family, but also the C&C infrastructure. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Inspector can use indicators of compromise, C&C servers and sites listed below.

    Indicators of Compromise

    SHA1 MD5 Compile Time (UTC) Size (in bytes) DDI Detection
    b0416d389b0b59776fe4c4ddeb407239 2/4/2015 21:29 618,496 TSPY_POSFIGHT.SM
    e3db204be71efe8a41d949f2d3fdfa18 3/27/2015 23:01 618,496 TSPY_POSFIGHT.SM
    e29d9560b6fcc14290f411eed9f4ff4f 9/8/2014 17:37 143,360 HTTP Download Executable File
    55fb03ce9b698d30d946018455ca2809 2/10/2015 17:55 618,496 TSPY_POSFIGHT.SM
    6cb50f7f2fe6f69ee8613d531e816089 11/24/2014 17:21 178,688 TSPY_POSFIGHT.B
    e647b892e3af16db24110d0e61a394c8 3/4/2015 20:54 618,496 TSPY_POSFIGHT.SM
    7b011dea4cc53c1099365e0b5dc23558 2/21/2015 13:37 618,496 TSPY_POSFIGHT.SM
    af15827d802c01d1e972325277f87f0d 1/28/2015 12:06 614,400 TSPY_POSFIGHT.SM
    361b6fe6f602a771956e6a075d3c3b78 12/19/2014 0:53 581,632 TSPY_POSFIGHT.SM
    b99cab211df20e6045564b857c594b71 2/4/2015 16:37 618,496 TSPY_POSFIGHT.SM

    We have seen the following C&C servers and sites in use:

    • 69[dot]195[dot]77[dot]74
    • ctclubedeluta[dot]org
    • msr2006[dot]biz
    • sitefmonitor[dot]com
    Posted in Bad Sites | Comments Off on One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil

    The Andromeda botnet is still active in the wild and not yet dead. In fact, it’s about to undergo a major update real soon. This botnet was first reported back in 2011 but has recently risen to prominence due to the latest modifications in the threat.

    Initially, this project to update Andromeda was about to die but the botnet’s author found a successor (even though he did not officially retire). Here is the author’s previous post, which basically says that if no buyer is found to take over the software, the service will be discontinued.

    Online Post on Underground Forum

    Just recently, however, we’ve uncovered that there is an ongoing development in the Andromeda botnet. This latest announcement was posted just recently and basically says that Andromeda code is going to be updated heavily. They suspended the sales of plug-ins to focus more on developing the new version. Here is the rough translation of the post (it’s in Russian) about what this major update:

    Currently suspended sales of all plug-ins.
    The project is undergoing a global modernization. In the near future will happen a few important but not visible changes:
    1. Will update the admin principal. Externally, will remain the same, but the principle of storage change that will reduce the load.
    2. All plugins will undergo fundamental changes both in format and structure. Those who wrote plugins for andromeda, need to ping waahoo for further informations.
    3. why such a change? First of all – it fixes bugs and flaws found, secondly because of the bugs found that have to completely change the approach to plug-ins that have this pain in the ass and should not not pop up in future.
    4. I’m not going on vacation for a long time. On the work of Andromeda or its purchases – please contact the author of the project

    Rootkit and socks5, which are popular plugins, are also now free of charge. Previously, the rootkit was sold $300 and $1000 for socks5 with BackConnect. BackConnect is a plug-in used to turn an infected machine into a SOCKS5 proxy — it allows the criminal to control the infected machine directly via infected machine IP and a random port.

    As of this writing, there is no definite date on when the new version will come out. But once implemented, this latest version of Andromeda is expected to be more stable and powerful than the previous ones and may come with more plug-ins.

    Posted in Botnets | Comments Off on Andromeda Botnet Gets an Update

    After Liberty Reserve’s shutdown, small or big–time cybercriminals had to scurry for an alternative currency. Some cybercriminals exclusively used Liberty Reserve (LR) as an e-currency to fuel their businesses, but its sudden shutdown took the underground scene by surprise. While many of them had a hard time believing this was indeed happening, others thought that LR would be back any time soon.

    To respond to this event, some online crooks had to find an immediate alternative (which they did). Based on what we’ve been seeing around underground forums, these guys are now jumping onto the BitCoin bandwagon, as they feel it is a more secure way to buy and sell their products and services.  However, there are still skeptics who doubt BitCoin’s security and think that it can still be taken down by law enforcement agencies.

    Screen Shot 2013-07-11_1

    Sample underground forum post

    As mentioned in our previous blog, other e-currencies such as Perfect Money and Web Money are getting more popular in the underground scene, giving bad guys more ways to get paid. If you have an account for each e-currency mentioned above, you can pretty much buy whatever you like from anyone. And in case you don’t have the right e-currency you can still use an exchanger.

    Based on our research on several underground forums, here are the most preferred e-currencies used:

    • Perfect Money (PM)
    • BitCoin (BTC)
    • Web Money (WM)

    LiteCoin (LTC) is starting to get some interest, but still limited due to the fact that LiteCoin are not as portable as Bitcoin. Russian cybercriminals accept more currencies such as yandex money, liqpay, qiwi.

    As it was expected, cyber criminals quickly found other ways to continue their operation, even though some of them lost money due to Liberty Reserve take down. It is hard to determine how much the underground economy suffered, but it never did completely stop their operations.


    Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong. Police ransomware in particular informs users that they need to pay their local police a fine.

    We have written detailed reports about these attacks in the past, including multiple blog posts as part of our investigations into this ongoing threat.

    Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities  in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON.

    Read the rest of this entry »


    The Police Ransomware is not a new threat but has been evolving at a tremendous pace. Here we are talking about Trojans which don’t let the victims use their computer until they pay a “fine” for doing naughty things. To do this, they impersonate local police forces by using the infected user’s regional settings – in other words, they use the victim’s local language and the logos of their country’s police.

    Last October, I published a new paper on the subject that touched less on the technical part of the attack and more on the financial side. When I talk about this topic, a lot of people often ask me: how are these Eastern European cybercriminal outfits able to keep using the same fancy payment methods? Can’t we follow the money trail? Well, not really.

    The use of online vouchers as a method of payment for the scam has allowed these gangs to completely hide any money trail. This is an intriguing topic in itself, so I recommend you to check it out whether you’re a techie or just interested in the evolution of cybercrime. I wrote the paper for Virus Bulletin, which was held in Dallas last September, although my colleague Loucif Kharouni covered for me for the actual presentation. I finally did present it at B-Sides Sao Paulo in October, and you can find a video recording of that talk here. We have previously released paper on this particular series of attacks, which you can read here.

    If you think this is something interesting and want to know more about it, why don’t you download the paper and give it a read?

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice