www.trustwave.com
Open in
urlscan Pro
52.151.96.240
Public Scan
Submitted URL: https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/
Effective URL: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-dexter-malware-getting-your-hands-dirty/
Submission: On June 23 via api from US — Scanned from GB
Effective URL: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-dexter-malware-getting-your-hands-dirty/
Submission: On June 23 via api from US — Scanned from GB
Form analysis 8 forms found in the DOM
GET /en-us/search/
<form oninput="autoSuggest(q.value)" method="get" target="_self" action="/en-us/search/" _lpchecked="1" data-hs-cf-bound="true">
<div class=" site-header-search-mobile" id="search-box">
<i class="fe fe-search text-darkest"></i>
<input id="search" value="" type="text" class="form-control" name="q" placeholder="Search trustwave.com" autocomplete="off">
<div id="search-bar">
<ul class="ul-list list-unstyled result-list" id="suggestresults"></ul>
</div>
</div>
</form>GET /en-us/search/
<form method="get" target="_self" action="/en-us/search/" data-hs-cf-bound="true">
<div class="site-header-search-main">
<i class="fe fe-search text-darkest"></i>
<input type="text" class="form-control form-control-lg" id="q" name="q" placeholder="Search trustwave.com">
</div>
</form><form id="navdemo-form" class="modal pt-9" style="max-height:90vh; width:90%; margin:auto 0;" data-hs-cf-bound="true">
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
<script data-hubspot-rendered="true">
hbspt.forms.create({
region: "na1",
portalId: "21158977",
formId: "92358282-9e9e-4fe6-a21f-c30c1e55336d",
sfdcCampaignId: "7016e0000020JvOAAU"
});
</script>
<div id="hbspt-form-78ace515-2adc-4c98-b70e-a43d0c1855c3" class="hbspt-form" data-hs-forms-root="true"><iframe id="hs-form-iframe-0" class="hs-form-iframe" title="Form 0" scrolling="no" width="100%"
style="position: static; border: none; display: block; overflow: hidden; width: 100%;"></iframe></div>
</form><form id="demo-form" class="modal" data-hs-cf-bound="true">
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
<script data-hubspot-rendered="true">
hbspt.forms.create({
region: "na1",
portalId: "21158977",
formId: "cfc901a2-eafd-46d4-a988-cdec75f02fd1",
sfdcCampaignId: "7016e0000020JvOAAU"
});
</script>
<div id="hbspt-form-7d29e574-a2da-41a9-8559-98e140daa0f0" class="hbspt-form" data-hs-forms-root="true"><iframe id="hs-form-iframe-1" class="hs-form-iframe" title="Form 1" scrolling="no" width="100%"
style="position: static; border: none; display: block; overflow: hidden; width: 100%;"></iframe></div>
</form><form id="demo-form" class="modal pt-9" style="max-height:90vh; width:90%; margin:auto 0" data-hs-cf-bound="true">
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
<script data-hubspot-rendered="true">
hbspt.forms.create({
region: "na1",
portalId: "21158977",
formId: "cfc901a2-eafd-46d4-a988-cdec75f02fd1",
sfdcCampaignId: "7016e0000020JvOAAU"
});
</script>
<div id="hbspt-form-c21b32c8-b7f1-4c98-9f9d-4278c2f09983" class="hbspt-form" data-hs-forms-root="true"><iframe id="hs-form-iframe-3" class="hs-form-iframe" title="Form 3" scrolling="no" width="100%"
style="position: static; border: none; display: block; overflow: hidden; width: 100%;"></iframe></div>
</form><form id="partner-form" class="modal pt=9" style="max-height:90vh; width:90%; margin:auto 0" data-hs-cf-bound="true">
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
<script data-hubspot-rendered="true">
hbspt.forms.create({
region: "na1",
portalId: "21158977",
formId: "de7ea1d6-a749-4248-88db-dc813310bec6",
sfdcCampaignId: "7016e0000020A3BAAU"
});
</script>
<div id="hbspt-form-aa6e491a-b187-427d-9dfc-cc2326ff097e" class="hbspt-form" data-hs-forms-root="true"><iframe id="hs-form-iframe-2" class="hs-form-iframe" title="Form 2" scrolling="no" width="100%"
style="position: static; border: none; display: block; overflow: hidden; width: 100%;"></iframe></div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/21158977/68741a11-8e56-4f23-ba7f-b2307e77714c
<form id="hsForm_68741a11-8e56-4f23-ba7f-b2307e77714c" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/21158977/68741a11-8e56-4f23-ba7f-b2307e77714c"
class="hs-form-private hsForm_68741a11-8e56-4f23-ba7f-b2307e77714c hs-form-68741a11-8e56-4f23-ba7f-b2307e77714c hs-form-68741a11-8e56-4f23-ba7f-b2307e77714c_fb12f478-4ffb-4ba0-a519-5465ac4aa7db hs-form stacked"
target="target_iframe_68741a11-8e56-4f23-ba7f-b2307e77714c" data-instance-id="fb12f478-4ffb-4ba0-a519-5465ac4aa7db" data-form-id="68741a11-8e56-4f23-ba7f-b2307e77714c" data-portal-id="21158977" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-68741a11-8e56-4f23-ba7f-b2307e77714c" class="" placeholder="Enter your " for="email-68741a11-8e56-4f23-ba7f-b2307e77714c"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-68741a11-8e56-4f23-ba7f-b2307e77714c" name="email" placeholder="Business Email" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="SUBSCRIBE"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1687527208587","formDefinitionUpdatedAt":"1674512136291","lang":"en","embedType":"REGULAR","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.133 Safari/537.36","pageTitle":"The Dexter Malware: Getting Your Hands Dirty | Trustwave | SpiderLabs | Trustwave","pageUrl":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-dexter-malware-getting-your-hands-dirty/","isHubSpotCmsGeneratedPage":false,"hutk":"49da852de09cf1c1b8d8e40cc8cd7457","__hsfp":3485376358,"__hssc":"94548739.1.1687527211770","__hstc":"94548739.49da852de09cf1c1b8d8e40cc8cd7457.1687527211769.1687527211769.1687527211769.1","formTarget":"#hbspt-form-fb12f478-4ffb-4ba0-a519-5465ac4aa7db","locale":"en","timestamp":1687527211790,"originalEmbedContext":{"portalId":"21158977","formId":"68741a11-8e56-4f23-ba7f-b2307e77714c","region":"na1","target":"#hbspt-form-fb12f478-4ffb-4ba0-a519-5465ac4aa7db","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"fb12f478-4ffb-4ba0-a519-5465ac4aa7db","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3339","sourceName":"forms-embed","sourceVersion":"1.3339","sourceVersionMajor":"1","sourceVersionMinor":"3339","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1687527208759,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"The Dexter Malware: Getting Your Hands Dirty | Trustwave | SpiderLabs | Trustwave\",\"pageUrl\":\"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-dexter-malware-getting-your-hands-dirty/\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.133 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1687527208761,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"GB\""},{"clientTimestamp":1687527211786,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"49da852de09cf1c1b8d8e40cc8cd7457\"}"}]}"><iframe
name="target_iframe_68741a11-8e56-4f23-ba7f-b2307e77714c" style="display: none;"></iframe>
</form><form data-hs-cf-bound="true"></form>Text Content
Trustwave Action Response: Zero Day Vulnerability in Barracuda Email Security
Gateway Appliance (CVE-2023-2868). Learn More
* Contact Us
* Login
Login
Fusion Platform Login
What is the Trustwave Fusion Platform?
* MailMarshal Cloud Login
* Incident Response
Incident Response
EXPERIENCING A SECURITY BREACH?
Get access to immediate incident response assistance.
24 HOUR HOTLINES
* AMERICAS
+1 855 438 4305
* EMEA
+44 8081687370
* AUSTRALIA
+61 1300901211
* SINGAPORE
+65 68175019
Recommended Actions
*
* Services
Services
*
Managed Detection & Response Eradicate cyberthreats with world-class intel
and expertise
*
Managed Security Services Expand your team’s capabilities and strengthen
your security posture
*
Consulting & Professional Services Tap into our global team of tenured
cybersecurity specialists
*
Penetration Testing Subscription- or project-based testing, delivered by
global experts
*
Database Security Get ahead of database risk, protect data and exceed
compliance requirements
*
Email Security & Management Catch email threats others miss with layered
security & maximum control
*
Co-Managed SOC (SIEM) Eliminate alert fatigue, focus your SecOps team,
stop threats fast, and reduce cyber risk
View All Trustwave Services
* Solutions
Solutions
BY INDUSTRY
* Education
* Financial Services
* Government
* Healthcare
* Hotels
* Legal
* Manufacturing
* Retail
BY REGULATION
* Data Privacy
* CMMC
* FISMA
* GDPR
* GLBA
* HIPAA
* ISO
* SOX
BY TOPIC
* Microsoft Exchange Server Attacks Stay protected against emerging threats
* Rapidly Secure New Environments Security for rapid response situations
* Securing the Cloud Safely navigate and stay protected
* Securing the IoT Landscape Test, monitor and secure network objects
* Why Trustwave
Why Trustwave
* The Trustwave Approach A focus on threat detection and response
* Awards and Accolades Recognition by analysts and media outlets
* Trustwave SpiderLabs Team Researchers, ethical hackers and responders
* Trustwave Fusion Platform Unprecedented security visibility and control
* SpiderLabs Fusion Center Our cybersecurity command center
* Security Operations Centers Distributed worldwide defense nodes
* Partners
Partners
* Technology Alliance Partners Key alliances who align and support our
ecosystem of security offerings
* Trustwave PartnerOne Program Join forces with Trustwave to protect against
the most advance cybersecurity threats
* Register
Login
* Resources
Resources
BLOGS
* Trustwave Blog
* SpiderLabs Blog
UPCOMING
* Webinars
* Events
MEDIA & ASSETS
* Document Library
* Video Library
* Analyst Reports
* Webinar Replays
* Case Studies
* Trials & Evaluations
NOTICES
* Security Advisories
* Software Updates
HELP
* Contact
* Support
*
* Request a Demo
Loading...
BLOGS & STORIES
SPIDERLABS BLOG
Attracting more than a half-million annual readers, this is the security
community's go-to destination for technical breakdowns of the latest threats,
critical vulnerability disclosures and cutting-edge research.
THE DEXTER MALWARE: GETTING YOUR HANDS DIRTY
access_timeDecember 13, 2012
person_outlineJosh Grunzweig
share
*
*
*
A very interesting piece of malware that targets Point ofSale systems has
recently surfaced in the malware community. As a guy whofrequently reverses
malware that targets card data (aka. Track data), thiscaused me to take notice.
Before I jump into the really interesting bits of themalware, I'd like to offer
a few links to those that have already taken a lookat this stuff. Seculert
specificallywere the ones that originally discovered, and named, the Dexter
malware.
http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html
http://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html
So if you either haven't gotten a chance to read the abovearticles, or simply
would like a refresher, here's what the malware does in anutshell.
* Injects itself into iexplore.exe
* Ensures the iexplore.exe process restarts in theevent that it is manually
stopped
* Ensures persistence via writes to the 'Run'registry key
* Scrapes track data through a very common method
* Has a command and control structure with aremote host
That last bullet in particular really caught my eye. I can'tremember the last
time I saw a piece of malware that targeted Point of Salesystems that had a nice
C&C structure to it. And that is where our storyreally begins…
So in looking at the underlying assembly of the malware, itbecomes apparent that
this sample is planning on talking to as many as sevendifferent domains. It's
also apparent that it's going to communicate over HTTP,via a POST request.
Looking at the traffic that gets generated, we seesomething similar to the
following:
Now you might be thinking to yourself, "Geez, that's a lotof …stuff". And you'd
be right. So lets break down that nice blob of datathat's being sent over the
wire. In total, we see the following ten differentvariables:
* page
* ump
* unm
* cnm
* query
* spec
* opt
* view
* var
* val
I'm going to focus on the last variable ('val') first, mainly because it's the
easies to decode, and because it's one of the mostimportant. We see that 'val'
has a value of 'ZnJ0a2o=', which I'm sure you'veall guessed by now is Base64
encoded. Once decoded, we see this value change to'frtkj'. You might be thinking
that this is also garbage, but it is, in fact, akey that is used to encode the
remaining text in the POST request.Specifically, we see the following occur when
each variable's data is decoded:
1. The data is Base64 decoded
2. Each character in the decoded string is xoredsequentially against each
character of the key we previously identified. InRuby, it looks something
like this:
"A".xor("f").xor("r").xor("t").xor("k").xor("j")
This results in the original content.
Know how this works, we can whip up a quick script to decodethe entire string.
We can now easily determine when a number of the variable discoveredactually
contain.
* page: Mutex string
* ump: Track data
* unm: Username
* cnm: Hostname
* query: Victim OS
* spec: Processor type
* opt: Unknown
* view: List of all running processes on thevictim
* var: Some unique string. Appears to be constantfor this sample
* val: Random key that changes every time themalware restarts
So at this point we can see how the malware is communicatingoutbound to its
master. However, that's only half of the puzzle. How is themalware receiving
commands?
Well, the answer to that question comes in the form of theresponse Cookie.
Specifically, the malware will set the 'response' cookie usingthe same technique
(only in reverse) that we just witnessed. So basically, theserver takes the key
from before, XORs each byte of the string against eachcharacter in the key, and
Base64 encodes it. Dexter will then parse this data,and look for one of the
following variables:
* update- (Updates the malware with the specifiedargument)
* checkin: (alters the delay between times themalware attempts to make POST
requests to the master host)
* scanin: (alters the delay between times the malware scrapes memory for
trackdata)
* uninstall (completely removes the malware)
* download- (downloads and execute the specified argument)
I should point out that each variable has to start with thecharacter '$' in
order for the malware to look at it. We can see how thesevariables are checked
in the following decompiled code:
So at this point we can get a pretty clear picture of howthis malware operates
over the wire. The details of how this malware has gottenon these victim
machines is still unclear, but please ensure that you aretaking the necessary
precautions to protect your system, with a specialemphasis on Point of Sale
boxes. Because really, nobody wants to becomeDexter's next victim.
RELATED SPIDERLABS BLOGS
COVID-19 PHISHING LURE TO STEAL AND MINE CRYPTOCURRENCY
SpiderLabs Blog
GOLDENSPY CHAPTER 5 : MULTIPLE GOLDENSPY UNINSTALLER VARIANTS DISCOVERED
SpiderLabs Blog
VACCINE FOR COVID-19 AND OTHER SCAMS ON THE DARK WEB
SpiderLabs Blog
STAY INFORMED
Sign up to receive the latest security news and trends from Trustwave.
* Leadership Team
* Our History
* News Releases
* Media Coverage
* Careers
* Global Locations
* Awards & Accolades
* Trials & Evaluations
* Contact
* Support
* Security Advisories
* Software Updates
* Legal
* Terms of Use
* Privacy Policy
* Copyright © 2023 Trustwave Holdings, Inc. All rights reserved.
Loading
HELP US STOP THE ROBOT UPRISING
This is a bot-free zone. Please check the box to let us know you're human.
THANK YOU
Download Now
--------------------------------------------------------------------------------
Read complimentary reports and insightful stories in the
Trustwave Resource Center
THANK YOU
One of our sales specialists will be in touch shortly.
--------------------------------------------------------------------------------
Read complimentary reports and insightful stories in the
Trustwave Resource Center
We use cookies to provide you a relevant user experience, analyze our traffic,
and provide social media features. Privacy Policy
GOT IT
PREFERENCE CENTRE
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
PREFERENCE CENTRE
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices