A new point-of-sale (POS) malware ‘LogPOS,’ has been detected by two researchers of an Ohio-based security firm. The malware uses a technology to evade detection by injecting code that acts like a client while it sends stolen credit card information to its command and control (C&C) server.
The technology, known as Microsoft Windows’ mailslots, isn’t new but POS malware variant has been found using it for the first time. Mailslots is an inter-process communications mechanism that allows multiple clients to send messages.
According to Microsoft’s Dev Center, “The apps can store information in a mailslot. The possessor of the mailslot can retrieve those messages which are stored there.”
Nick Hoffman and Jeremy Humble, the two researchers of Ohio-based security firm ‘Morphick,’ who found the malware, said, LogPOS’s executable creates a mailslot, which acts like a server. The code that it injects into various processes acts as a client and subsequently transfers card data to the mailslot, which then transfers it to the C&C.
The way the multitasking malware created the mailslot and injected code jumped out to the researchers “almost immediately,” according to Hoffman.
Unlike other types of POS malware such as Backoff, LogPOS can’t write the data it discovers in processes to a log. That’s because the malware already has its hands full injecting code into processes, each of which search their own memory. Each one is unable to open the same file with write access simultaneously — so it writes the information to a mailslot, reports Threatpost.
Assuming the malware can create a mailslot, the malware compares processes against a whitelist, injects code to disrupt processes, scans for credit card information, validates it, sends it to the mailslot and then onward to a remote site.
Since 2013 popular malware variants like Backoff, which has extensive data stealing and exfiltration capabilities, have become a go-to for attackers eyeing point of sale systems. By comparison, 2015 could be considered relatively quiet on the retail breach disclosure front to this point but that hasn’t stopped POS malware creators from quietly refining their product.
“Despite the ongoing efforts to curb POS malware from being successful, this seems to be an area where there is no slowing down,” Hoffman said, acknowledging some newer POS malware variants that have been uncovered over the past several months like Alina and Spark, the report further said.