Black marketed Windows banking & POS Trojan Minerva turns in-the-wild

10309990_1418461665091456_1542203837_oThe path from the creation of malicious program to its delivery onto victims’ computers is long nowadays and involves many different players with the same goal – to make a financial gain. Malware authors usually offer their software to cyber criminals who in turn distribute it via underground forums. This is the how they keep their anonymous status. We have previously seen many famous malicious programs start this way. In the past, the Russian banking Trojan Carberp was heavily advertised on shady forums. In the beggining of the year an attempt to sell a new ransomware called Prison Locker was reported. Last year we blogged about Trojan Solarbot which choose to promote itself through a well designed website, appearing very official. However, we don’t always know all the details about every piece of malware, from the code to how it is being distributed. The Trojan dubbed “i2Ninja” for example made headlines last year, but we never received a real sample containing all the functionalities the media reported on. Or do you remember the Hand of Thief Trojan for Linux desktops? Its variant for the Android platform was also advertised, but again, we never encountered it in our Virus Lab. These advertisements could have lacked the real code behind them or may have gone under in the pile of cyberthreats. In March 2013 a new banking Trojan dubbed Minerva was introduced on a Russian forum. We will see that it is awfully successful in what it promised to do. minerva_advertisement


The Minerva Bot is primarily a banking Trojan based on its form grabbing capabilities. Supported commands promoted in the advertisement (vweb & vstealth for visiting web site; update & down for new malware downloads) are visible in the resources of the binary: minerva_features

Jungle of POS Trojans

Here is a brief summary on the malware in this area:

Nickname Reference Sample
Tibrun AlienVault C1FAB4A0B7F4404BAF8EAB4D58B1F821
Dexter ArborNetworks 759154D20849A25315C4970FE37EAC59
Nemanja InterCrawler N/A
RetalixScrapper/Locotout BAE Systems C09AE408DB653BA612AC7E8D3055C52B
Alina/Alinaos SpiderLabs 590F5F7755EB95934272B04C9AF7AE99
VSkimmer/Hesetox Xylitol A99D5D1652DFCDA190C3D412828DCF6D
Decebal InterCrawler 8DEFB55EBF17D32827F314592130F416
BlackPOS KrebsOnSecurity 97E66704D0B51051669BFED8F36C9D77
JackPOS/Juspos SpiderLabs 88E721F62470F8BD267810FBAA29104F

Recently we have pointed out that most ATMs are running Windows XP. The Target attack was performed by a Trojan containing the string “KARTOXA” (means potato in Russian) that is connected to many similar point of sales (POS) Trojans (BlackPOS, VSkimmer/Hesetox etc). The Minerva Bot is often distributed with some of these POS Trojans, e.g. Alina, JackBot, VSkimmer, etc.

Minerva Bot’s Structure

This Trojan was very likely written directly in assembly, because it contains only one section .text with both 32-bit and 64-bit code. Its form grabbing functionality is the core of the modules. However, the POS stealing feature is a part of the x86 module only. minerva_structure The value of the code segment (CS ) register is tested. If the code runs in 32-bit WOW64 process then CS equals 0×23 and the switch to 64-bit code becomes available in the DecideArchitecture procedure. The mode of the process is then double-checked by calling on the IsWow64Process API function. before_32to64bitswitch The switch between x86 and x64 execution is performed by the retf instruction with two arguments on the stack: the segment selector (0×33) and the 64-bit address (0x40C3E1). The internals behind this far jump execution is explained here. 32to64bitswitch

C&C panel Soraya

There is a Command & Control panel available for a botnet operator. The panel itself together with statistics of origin of stolen data are provided in the blogpost by ArborNetworks. 02


Thanks to my colleague, Jaromír Ho?ejší, for cooperation on this analysis. The front picture was created by the independent digital artist Veronika Begánová.


Minerva custom packed 1191DE406316DA641887F9E8D2631D8D06 1212BC6C2CEBDA051596BC16559A8D Win32:Rysaoa-B [Cryp]
Minerva Bot 21708D2BA64A626F06842CAAA642FF3433B C9E2C040663D9181BA2BAB3BA2FF3 Win32:Rysaoa-A [Trj]

Leave a Reply