ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Soraya

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Soraya

NamesSoraya
CategoryMalware
TypePOS malware, Reconnaissance, Credential stealer
Description(Trend Micro) Soraya is a Dexter-and-Zeus-inspired PoS RAM scraper variant first discovered in June 2014. It is custom-packed to obfuscate its code and to make it difficult for security researchers to reverse-engineer its binary. When first executed, Soraya injects its code into several running processes. It borrowed tricks from ZeuS and hooks the NtResumeThread API, which is called by Windows to execute new processes. It then injects its code into all newly created processes. It also copies itself to the %APPDATA% directory and adds itself to an Auto Start runkey to remain persistent.
Information<https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf>
<https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper>
<https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya>

Last change to this tool card: 25 May 2020

Download this tool card in JSON format

All groups using tool Soraya

ChangedNameCountryObserved

Unknown groups

 _[ Interesting malware not linked to an actor yet ]_ 

1 group listed (0 APT, 0 other, 1 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]