LockPoS Malware Adopts Injection Technique to Evade Detection
POS Software
09-01-2018 00:00:00
LockPoS Malware Adopts Injection Technique to Evade Detection

LockPoS, a point-of-sale malware program discovered in 2017 stealing payment card data from computers' memory, is now using a new malware injection technique designed to bypass antivirus hooks and evade detection.


Hod Gabriel, malware analyst at Cyberbit, reported in a company blog post that LockPoS uses three main routines – all of which are exported from ntdll.dll, a core Windows dynamic link library file – in order to inject malicious code into a remote process. The three routines used are: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx.


The technique is reportedly similar to that used by Flokibot POS malware, which shares the same botnet used for distribution – except LockPoS uses different API calls for the injection.


Gabriel said that one technique "involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code."


“This new malware injection technique suggests a new trend could be developing of using old sequences in a new way that makes detection difficult. Most EDR [Endpoint Detection and Response] and next-gen antivirus products already monitor the Windows functions in user mode. But in Windows 10, the kernel space is still guarded, so kernel functions can't be monitored,” Gabriel said.

-K Ramanathan ram@justransact.com

No Comments Yet

Subscribe to comments feed

Leave a Reply

Your email address will not be published. Required fields are marked *

Let's Be Friends
Fb general logo Twitter icon Google Plus icon Youtube icon Pinterest Linkedin
Need help? Contact Us
cs@justransact.com (or) Call us: 1800 123 3010

©2013 - 2019 : View site: Desktop 22 years domain experience