BernhardPOS

Description

(securitykitten) What makes BernhardPOS stand out is the use of code that continues to evade AV detection. Between manually resolving imports when they are needed and inserting junk code between legit operations, this malware stays successfully hidden. It manually encodes the strings that it needs to in order to evade a simple string based rule. And it doesn’t heavily pack or encrypt itself in a way that would set off high entropy rules. In most network scenarios, DNS is a port left wide open due to machines needing to communicate with one another and the larger Internet. Leveraging DNS allows the malware authors to not worry about being blocked by a firewall or hindered by network restrictions.

Names

Name
BernhardPOS

Type

POS malware
Credential stealer

Information

https://securitykitten.github.io/2015/07/14/bernhardpos.html

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:BernhardPOS

Other Information

Uuid

62b627d6-4c4a-490e-b864-da5487b0b56e

Last Card Change

2020-05-24

Threat Intelligence Garden

Explorer

BernhardPOS

BernhardPOS

Description

Names

Category

Type

Information

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks