A malicious program designed to attack ATMs of one popular payment system in Russia. It is distributed as a dynamic-link library via infected flash drives and droppers.
Using the DllUnregisterServer function, the Trojan registers itself with the name Taskbar in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry branch responsible for autorun. Then with the help of the DllRegisterServer function, the Trojan attempts to find the running maratl.exe process. If the attempt fails, Trojan.PWS.OSMP.21 initiates a routine to infect flash drives. If the process is detected, the malicious program tries to retrieve the config\config.dat file and logs from the folder containing the corresponding executable file. In addition to that, the Trojan gathers information regarding the hard drive. Subsequently, using a POST request, all the data is transmitted in an encrypted format to cybercriminals' server. If the data transfer is successful, the Trojan deletes itself.