Point-of-Sales Soraya malware

POS Soraya malware

Researchers from Arbor Network have recently discovered a new variant of the Zeus malware. The point-of-sales Soraya malware has some similarities to the older Dexter malware, which infects PoS systems.

The Dexter malware is known for it’s memory scraping functionality.

Soraya has the ability to steal payment card information from memory and then sends that data off to a remote C2 server.

Online Soraya malware

On the Web side, Soraya can grab payment card data from forms as they’re submitted to sites, something that the Zeus malware family has perfected over the years. The combination of the PoS memory scraping functionality and the form-grabbing feature makes Soraya something new on the malware landscape, Bing said.

The origin of the Soraya malware

The name Soraya is a Persian female name. It may refer to:

  • Soraya Tarzi (Wife of King Amanullah Khan of Afghanistan)
  • Soraya Esfandiary-Bakhtiari (Second wife of Mohammed Reza Pahlavi of Iran) also know as Queen Soraya

Command and Control Communication

Screenshots Soraya malware

Md5 hashes

  • 1df57b31a4bca7a1c93ecd50bd8fd8bf auth.php
  • 67a6bf5b9b23c6588c756c2f2a74635c bot.php
  • c3e9d1dda7f1f71b4e1e2ead7c7406dd commands.php
  • 515232eb815b7bafab57c7cdca437a7a formgrab.php
  • ff8cc2e792a59d068f35cb3eb2ea69bc funcs.php
  • b64ea0c3e9617ccd2f22d8568676a325 /inc/GeoIP.dat
  • d2ba8b27dc886b36e0e8ec10e013d344 /inc/geoip.inc
  • c94285b73f61204dcee5614f91aaf206 login.php
  • d9e7f69822821188eac36b82928de2a0 logout.php
  • e5dadfff0bc1f2113fedcf4eb3efd02f settings.php
  • 22888a7b45adc60593e4fc2fe031be98 statistics.php
  • ecf98e76c99f926e09246b02e53f2533 style.css
  • 3f391740cbbd9623c4dfb19fb203f5bc trackgrab.php
  • ea9a242932dfa03084db3895cf798be5 viewlog.php

Countries infected by the Soraya malware

countries

Infected by the Soraya POS malware

  • Panama
  • Canada
  • Brazil
  • United States
  • Mexico
  • Costa Rica
  • Poland
  • Russian Federation
  • South Africa
  • United Kingdom

As you can see in the image above, the United States holds the most Soraya infected devices.

Resources used from:

  • http://threatpost.com/soraya-malware-packs-form-grabbing-memory-scraping-functionality/106427
  • http://www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/