Researchers from Arbor Network have recently discovered a new variant of the Zeus malware. The point-of-sales Soraya malware has some similarities to the older Dexter malware, which infects PoS systems.
The Dexter malware is known for it’s memory scraping functionality.
Soraya has the ability to steal payment card information from memory and then sends that data off to a remote C2 server.
Online Soraya malware
On the Web side, Soraya can grab payment card data from forms as they’re submitted to sites, something that the Zeus malware family has perfected over the years. The combination of the PoS memory scraping functionality and the form-grabbing feature makes Soraya something new on the malware landscape, Bing said.
The origin of the Soraya malware
The name Soraya is a Persian female name. It may refer to:
- Soraya Tarzi (Wife of King Amanullah Khan of Afghanistan)
- Soraya Esfandiary-Bakhtiari (Second wife of Mohammed Reza Pahlavi of Iran) also know as Queen Soraya
Command and Control Communication
Screenshots Soraya malware
Soraya hooks these functions by overwriting the function prologue with the instructions PUSH and RET, essentially providing a new saved return address and returning to it. As an example, this is what a normal, unhooked version of Firefox’s nss3!PR_Write looks like in WinDBG.
After being injected with Soraya the first 6 bytes of the function are overwritten with PUSH 62042h, the address of the intercept function, and RET which returns to that address.
The intercept function itself at 0×62042 will check if EBX points to the string “POST” at 0x6206A. Before this, it will execute the original PR_Write function by calling the address at 0x640EC.
The code at 0x640EC to execute the original PR_Write function uses a similar technique. The first six bytes of the original PR_Write function were saved and are executed before returning past the 6 bytes of the hook code that now constitute PR_Write.
The first 6 bytes of the original PR_Write function were saved and are executed before returning past the 6 bytes into the original PR_Write function.
The Luhn algorithm leverages a simple checksum over credit card numbers to ensure that they are valid. Track 1 and track 2 data are packaged and sent to the command and control (C2) site using the protocol described below as a “mode 5″ message.
- 1df57b31a4bca7a1c93ecd50bd8fd8bf auth.php
- 67a6bf5b9b23c6588c756c2f2a74635c bot.php
- c3e9d1dda7f1f71b4e1e2ead7c7406dd commands.php
- 515232eb815b7bafab57c7cdca437a7a formgrab.php
- ff8cc2e792a59d068f35cb3eb2ea69bc funcs.php
- b64ea0c3e9617ccd2f22d8568676a325 /inc/GeoIP.dat
- d2ba8b27dc886b36e0e8ec10e013d344 /inc/geoip.inc
- c94285b73f61204dcee5614f91aaf206 login.php
- d9e7f69822821188eac36b82928de2a0 logout.php
- e5dadfff0bc1f2113fedcf4eb3efd02f settings.php
- 22888a7b45adc60593e4fc2fe031be98 statistics.php
- ecf98e76c99f926e09246b02e53f2533 style.css
- 3f391740cbbd9623c4dfb19fb203f5bc trackgrab.php
- ea9a242932dfa03084db3895cf798be5 viewlog.php
Countries infected by the Soraya malware
Infected by the Soraya POS malware
- United States
- Costa Rica
- Russian Federation
- South Africa
- United Kingdom
As you can see in the image above, the United States holds the most Soraya infected devices.
Resources used from: