Wapack Labs Technical Analysis: VSkimmer and BlackPOS

Originally published on January 30, 2014, this analysis product was offered privately during the height of the Target breach. Over the weekend (August 2014), more reports followed of point of sale exploitation with BlackPOS. Several others have provided technical analysis of BlackPOS, but we've decided to openly post this analysis because of it's closeness to another builder "VSkimmer", and the need for a farmed indicator list.

This analysis is provided by Wapack Labs as part of an ongoing analysis of POS exploits in the wake of the recent widespread retailer breaches.

Please, enjoy!

Download the full report.

Executive Summary:

Automated tools are often times used by hackers to generate malware. This report summarizes two cracked Point of Sale (POS) “malware builders” obtained by Wapack Labs in January 2014. The first is identified as a VSkimmer variant and the second as BlackPOS. Both builders were cracked by French white-hat hacker Xylitol[1]. This report also provides protocol details and signatures for the analyzed specimens and the payloads generated by the respective builder kits.

Wapack Labs analyzed both builders in one report because of a common thread –they’re both weaponized using the same backdoor. It is possible that in both cases, this serves as an additional channel for acquiring stolen credit card data.

---

[1] http://www.itnews.com.au/News/356543,the-rise-of-the-white-hat-vigilante.aspx