What's 4k in Real Money? presented at hacktivity2018 2018

by Robert Neumann,

URL : https://www.youtube.com/watch?v=2_mFU0yL0cA&t=0s&list=PLbrZ_OVEaffK2bi8mmSHAFiZ3YXUSktSO&index=9

Summary : In the early years of computer science size did matter. The same rule applied to malware samples as well, even into the 21st century. Broadband connections were not yet available to the masses and people still crafted pure assembly code, either for performance optimization purposes or to reduce the size of the compiled executable.Fast forward to the second decade of the century and things look vastly different. Few people are interested in performance optimizations (outside of embedded systems) and even fewer care about the compiled size of a malicious payload: there is hardly any noticeable difference between transferring 100kb or 10Mb across a modern Internet connection.A recent investigation into POS (Point of Sale) malware revealed two interesting facts: first, size can be still a factor today and there are malicious actors who prefer simplified (yet effective) code; and second, stealing credit card information the old-fashioned way unfortunately still works.What at first seemed to be a mere copycat sample reusing legacy code ultimately turned out to be both an evolutionary step and simultaneously the base for something completely different.This talk will focus on the inner workings of a particularly interesting series of samples which appear to have been hand-crafted to minimize their size. In the course of this, we will compare the functionality of active POS campaigns, explain why they can be still effective despite stricter security policies and increased EMV card (i.e. chip-and-PIN) usage and look at how parts of the code have been reused to deliver other malware such as the XMRig miner.