Home / malware Infostealer.Centerpos
First posted on 30 September 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Centerpos.
Explanation :
Once executed, the Trojan connects to the following remote location:
[https://]www.dropbox.com/s/ibir4isxow5h9ei/CenterP[REMOVED]
The Trojan downloads one of the following files:
%Windir%\Microsoft.NET\Framework\v2.0.50727\CenterPoint.exe%Windir%\Microsoft.NET\Framework\V3.0\CenterPoint.exe%Windir%\Microsoft.NET\Framework\V3.5\CenterPoint.exe%Windir%\Microsoft.NET\Framework\V4.0.30319\CenterPoint.exe
Next, the Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\"Service" = "CenterPoint"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\"DeviceDesc" = "CenterPoint"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\Control\"*NewlyCreated*" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CENTERPOINT\0000\Control\"ActiveService" = "CenterPoint"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\"ActiveService" = "RasMan"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\"ActiveService" = "TapiSrv"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\"Type" = "10"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\"ImagePath" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\"Description" = "DHCP Handler"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\Security\"Security" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\Enum\"0" = "Root\\LEGACY_CENTERPOINT\\0000"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\Enum\"Count" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint\Enum\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\CenterPoint\"EventMessageFile" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Service1\"EventMessageFile" = "[HEXADECIMAL VALUE]"
The Trojan creates a service with the following properties:
Service name: CenterPointImage path: [HEXADECIMAL VALUE]Description: DHCP HandlerStartup type: Automatic
It then creates the following registry subkey to register itself as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CenterPoint
The Trojan then scans running processes on the compromised computer for payment card data and sends the stolen information to the following remote location:
[http://]jackkk.com/2kj[REMOVED]Last update 30 September 2015
