urlscan.io logo urlscan.io
SecurityTrails logo

www.trustwave.com Open in urlscan Pro
52.151.96.240  Public Scan

Back to summary
Submitted URL: https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/
Effective URL: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-dexter-malware-getting-your-hands-dirty/
Submission: On September 23 via api from DE — Scanned from GB

Form analysis 5 forms found in the DOM

<form data-hs-cf-bound="true"><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET /en-us/search/

<form oninput="autoSuggest(q.value)" method="get" target="_self" action="/en-us/search/" _lpchecked="1" data-hs-cf-bound="true">
  <div class=" site-header-search-mobile" id="search-box">
    <i class="fe fe-search text-darkest"></i>
    <input id="search" value="" type="text" class="form-control" name="q" placeholder="Search trustwave.com" autocomplete="off">
    <div id="search-bar">
      <ul class="ul-list list-unstyled result-list" id="suggestresults"></ul>
    </div>
  </div>
</form>

GET /en-us/search/

<form method="get" target="_self" action="/en-us/search/" data-hs-cf-bound="true">
  <div class="site-header-search-main">
    <i class="fe fe-search text-darkest"></i>
    <input type="text" class="form-control form-control-lg" id="q" name="q" placeholder="Search trustwave.com">
  </div>
</form>

GET https://www2.trustwave.com/Subscription-Center-Subscribe.html

<form method="get" target="_blank" action="https://www2.trustwave.com/Subscription-Center-Subscribe.html" data-hs-cf-bound="true">
  <div class="row g-7">
    <div class="col-md-6 col-lg-7">
      <input type="text" class="form-control" name="Email" placeholder="Email Address">
    </div>
    <div class="col-md-6 col-lg-5">
      <button class="btn btn-primary w-100" type="submit">Subscribe</button>
    </div>
  </div>
</form>

<form data-hs-cf-bound="true"></form>

Text Content

Cookie Notice

We use cookies to provide you a relevant user experience, analyze our traffic,
and provide social media features. Privacy Policy


Close
GOT IT


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * Privacy Policy

Privacy Preference Centre

Active

Always Active



Save Settings

Allow All

Overview of the Cyber Weapons Used in the Ukraine - Russia War Learn More
 * Contact Us
 * Login
   Login
   Fusion Platform Login
   What is the Trustwave Fusion Platform?
    * MailMarshal SEG Login
    * Legacy TrustKeeper Login

 * Incident Response
   Incident Response
   
   EXPERIENCING A SECURITY BREACH?
   
   Get access to immediate incident response assistance.
   
   24 HOUR HOTLINES
   
    * AMERICAS
      
      +1 855 438 4305
   
    * EMEA
      
      +44 8081687370
   
    * AUSTRALIA
      
      +61 1300901211
   
    * SINGAPORE
      
      +65 68175019
   
   Recommended Actions
 * 

 * Services
   Services
    * 
      Managed Detection & Response Eradicate cyberthreats with world-class intel
      and expertise
    * 
      Managed Security Services Expand your team’s capabilities and strengthen
      your security posture
    * 
      Consulting & Professional Services Tap into our global team of tenured
      cybersecurity specialists
    * 
      Penetration Testing Subscription- or project-based testing, delivered by
      global experts
    * 
      Database Security Get ahead of database risk, protect data and exceed
      compliance requirements
    * 
      Email Security & Management Catch email threats other miss with layered
      security & maximum control
   
   View All Trustwave Services
 * Solutions
   Solutions
   
   BY INDUSTRY
   
    * Education
    * Financial Services
    * Government
    * Healthcare
    * Hotels
    * Legal
    * Manufacturing
    * Retail
   
   BY REGULATION
   
    * Data Privacy
    * CMMC
    * FISMA
    * GDPR
    * GLBA
    * HIPAA
    * ISO
    * SOX
   
   BY TOPIC
   
    * Microsoft Exchange Server Attacks Stay protected against emerging threats
    * Rapidly Secure New Environments Security for rapid response situations
    * Securing the Cloud Safely navigate and stay protected
    * Securing the IoT Landscape Test, monitor and secure network objects

 * Why Trustwave
   Why Trustwave
    * The Trustwave Approach A focus on threat detection and response
    * Awards and Accolades Recognition by analysts and media outlets
    * Trustwave SpiderLabs Team Researchers, ethical hackers and responders
    * Trustwave Fusion Platform Unprecedented security visibility and control
    * SpiderLabs Fusion Center Our cybersecurity command center
    * Security Operations Centers Distributed worldwide defense nodes

 * Partners
   Partners
    * Technology Alliance Partners Key alliances who align and support our
      ecosystem of security offerings
   
    * Trustwave PartnerOne Program Join forces with Trustwave to protect against
      the most advance cybersecurity threats
    * Register
      Login

 * Resources
   Resources
   
   BLOGS
   
    * Trustwave Blog
    * SpiderLabs Blog
   
   UPCOMING
   
    * Webinars
    * Events
   
   MEDIA & ASSETS
   
    * Document Library
    * Video Library
    * Analyst Reports
    * Webinar Replays
    * Case Studies
    * Trials & Evaluations
   
   NOTICES
   
    * Security Advisories
    * Software Updates
   
   HELP
   
    * Contact
    * Support

 * 
 * Request a Demo

Loading...

BLOGS & STORIES


SPIDERLABS BLOG

Attracting more than a half-million annual readers, this is the security
community's go-to destination for technical breakdowns of the latest threats,
critical vulnerability disclosures and cutting-edge research.


THE DEXTER MALWARE: GETTING YOUR HANDS DIRTY

access_timeDecember 13, 2012
person_outlineJosh Grunzweig
share
 * 
 * 
 * 

A very interesting piece of malware that targets Point ofSale systems has
recently surfaced in the malware community. As a guy whofrequently reverses
malware that targets card data (aka. Track data), thiscaused me to take notice.
Before I jump into the really interesting bits of themalware, I'd like to offer
a few links to those that have already taken a lookat this stuff. Seculert
specificallywere the ones that originally discovered, and named, the Dexter
malware.

http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html

http://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html

So if you either haven't gotten a chance to read the abovearticles, or simply
would like a refresher, here's what the malware does in anutshell.
 * Injects itself into iexplore.exe
 * Ensures the iexplore.exe process restarts in theevent that it is manually
   stopped
 * Ensures persistence via writes to the 'Run'registry key
 * Scrapes track data through a very common method
 * Has a command and control structure with aremote host

That last bullet in particular really caught my eye. I can'tremember the last
time I saw a piece of malware that targeted Point of Salesystems that had a nice
C&C structure to it. And that is where our storyreally begins…

So in looking at the underlying assembly of the malware, itbecomes apparent that
this sample is planning on talking to as many as sevendifferent domains. It's
also apparent that it's going to communicate over HTTP,via a POST request.
Looking at the traffic that gets generated, we seesomething similar to the
following:



Now you might be thinking to yourself, "Geez, that's a lotof …stuff". And you'd
be right. So lets break down that nice blob of datathat's being sent over the
wire. In total, we see the following ten differentvariables:

 * page
 * ump
 * unm
 * cnm
 * query
 * spec
 * opt
 * view
 * var
 * val

I'm going to focus on the last variable ('val') first, mainly because it's the
easies to decode, and because it's one of the mostimportant. We see that 'val'
has a value of 'ZnJ0a2o=', which I'm sure you'veall guessed by now is Base64
encoded. Once decoded, we see this value change to'frtkj'. You might be thinking
that this is also garbage, but it is, in fact, akey that is used to encode the
remaining text in the POST request.Specifically, we see the following occur when
each variable's data is decoded:

 1. The data is Base64 decoded
 2. Each character in the decoded string is xoredsequentially against each
    character of the key we previously identified. InRuby, it looks something
    like this:

"A".xor("f").xor("r").xor("t").xor("k").xor("j")

This results in the original content.

Know how this works, we can whip up a quick script to decodethe entire string.



We can now easily determine when a number of the variable discoveredactually
contain.

 * page: Mutex string
 * ump: Track data
 * unm: Username
 * cnm: Hostname
 * query: Victim OS
 * spec: Processor type
 * opt: Unknown
 * view: List of all running processes on thevictim
 * var: Some unique string. Appears to be constantfor this sample
 * val: Random key that changes every time themalware restarts

So at this point we can see how the malware is communicatingoutbound to its
master. However, that's only half of the puzzle. How is themalware receiving
commands?

Well, the answer to that question comes in the form of theresponse Cookie.
Specifically, the malware will set the 'response' cookie usingthe same technique
(only in reverse) that we just witnessed. So basically, theserver takes the key
from before, XORs each byte of the string against eachcharacter in the key, and
Base64 encodes it. Dexter will then parse this data,and look for one of the
following variables:

 * update- (Updates the malware with the specifiedargument)
 * checkin: (alters the delay between times themalware attempts to make POST
   requests to the master host)
 * scanin: (alters the delay between times the malware scrapes memory for
   trackdata)
 * uninstall (completely removes the malware)
 * download- (downloads and execute the specified argument)

I should point out that each variable has to start with thecharacter '$' in
order for the malware to look at it. We can see how thesevariables are checked
in the following decompiled code:



So at this point we can get a pretty clear picture of howthis malware operates
over the wire. The details of how this malware has gottenon these victim
machines is still unclear, but please ensure that you aretaking the necessary
precautions to protect your system, with a specialemphasis on Point of Sale
boxes. Because really, nobody wants to becomeDexter's next victim.


RELATED SPIDERLABS BLOGS

COVID-19 PHISHING LURE TO STEAL AND MINE CRYPTOCURRENCY

SpiderLabs Blog

GOLDENSPY CHAPTER 5 : MULTIPLE GOLDENSPY UNINSTALLER VARIANTS DISCOVERED

SpiderLabs Blog

VACCINE FOR COVID-19 AND OTHER SCAMS ON THE DARK WEB

SpiderLabs Blog


STAY INFORMED

Sign up to receive the latest security news and trends from Trustwave.

Subscribe
English German (Deutsche) Japanese (日本語)

 * Leadership Team
 * Our History
 * News Releases
 * Media Coverage

 * Careers
 * Global Locations
 * Awards & Accolades
 * Trials & Evaluations

 * Contact
 * Support
 * Security Advisories
 * Software Updates

 * Legal
 * Terms of Use
 * Privacy Policy
 * Copyright © 2022 Trustwave Holdings, Inc. All rights reserved.

Loading



HELP US STOP THE ROBOT UPRISING

This is a bot-free zone. Please check the box to let us know you're human.




THANK YOU

Download Now

--------------------------------------------------------------------------------

Read complimentary reports and insightful stories in the
Trustwave Resource Center


THANK YOU

One of our sales specialists will be in touch shortly.

--------------------------------------------------------------------------------

Read complimentary reports and insightful stories in the
Trustwave Resource Center