• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-9046 – ICS: Johnson Controls Kantech EntraPass
May 28, 2020
Rewterz Threat Alert – Turla and ComRAT v4
May 28, 2020

Rewterz Threat Alert – TinyPOS Attack Combines New Techniques for Card Scraping

May 28, 2020

Severity

Medium

Analysis Summary

The researchers has analyzed a piece of malware being used to scrape credit card information at the Point-of-Sale (PoS). Using a previously leveraged malware family and living off the land techniques, the threat group has managed to compromise several PoS terminals. The malware uses PsExec and compromised credentials to implant a pair of files to three separate PoS systems. A PowerShell script is saved as a batch file and an image file. Several pairs, in differing combination, have been discovered. Although the pairs and specific tools and techniques employed differ, the basic functionality is the same. The image file’s contents are loaded into memory by the batch file. The script injects the image file data into its own process. Raw shell code is appended to the PNG file in order to gain access. The shell code is a variant of the TinyPOS family. A file is created in order to store the scraped credit card data. The file is then uploaded to a C2 server in an encoded format. 

Figure1-1024x505.png

Impact

Data Disclosure

Indicators of Compromise

MD5

  • 9e56cd1c62a11b3f6f789da56cfe581d
  • 2146d62b2be5b4ec04cd297c4e3094d1

SHA-256

  • 15712752daf007ea0db799a318412478c5a3a315a22932655c38ac6485f8ed00
  • e48af0380d51eff554d56aabeeb5087bba37fa8fb02af1ccd155bb8b5079edae

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.