Last week the Security researchers from Arbor Network released a report on the POS Soraya malware, they included various hashes and values which allowed researchers to research the Soraya malware. The Arbor Network did not include the source code of the Soraya POS. The found Soraya POS malware contains similarities to the Dexter and Zeus family.
The Soraya Source code
The Security Researchers from RedSocks (The Netherlands), have done a quick sweep on the Soraya malware. We had some contact with the RedSocks company, as they are experienced malware hunters. We asked them if they could provide additional information on the Soraya POS malware.
The RedSocks security researchers provided incredible valuable information about the Soraya POS malware. They were able to find the ‘Soraya Source code’.
Take a look at the following screenshots which are taken from a malicious POS Soraya malware server.
The cybercriminals behind the Soraya malware are using WordPress environments to host the Soraya C&C malware.
- 1df57b31a4bca7a1c93ecd50bd8fd8bf auth.php
- 67a6bf5b9b23c6588c756c2f2a74635c bot.php
- c3e9d1dda7f1f71b4e1e2ead7c7406dd commands.php
- 515232eb815b7bafab57c7cdca437a7a formgrab.php
- ff8cc2e792a59d068f35cb3eb2ea69bc funcs.php
- b64ea0c3e9617ccd2f22d8568676a325 /inc/GeoIP.dat
- d2ba8b27dc886b36e0e8ec10e013d344 /inc/geoip.inc
- c94285b73f61204dcee5614f91aaf206 login.php
- d9e7f69822821188eac36b82928de2a0 logout.php
- e5dadfff0bc1f2113fedcf4eb3efd02f settings.php
- 22888a7b45adc60593e4fc2fe031be98 statistics.php
- ecf98e76c99f926e09246b02e53f2533 style.css
- 3f391740cbbd9623c4dfb19fb203f5bc trackgrab.php
- ea9a242932dfa03084db3895cf798be5 viewlog.php
If you are a security researcher and you want to have a copy of the ‘Soraya source code’, then send us a message via the contact form. We will respond as soon as possible.
Do include the following information in the request:
- Company name
- Reason why you need the files
- Location of the company