A new clan of Point of Sale (PoS) malware has been identified and studied by researchers of Trend Micro, a California-based global security software company pioneering in internet content security and threat management solution.
Expert stermed the malware as PwnPOS, and believed that it has been in use since 2013, or even before. It is an irony that how such blatant security breach got unnoticed for so long?
According to sources close to the researchers, PwnPOS, because of its simple and thoughtful construction, remained unnoticed all these years.
Containing two components - a Random Access Memory scraper binary and a binary does the data exfiltration - PwnPOS looks and works similar to other known POS malwares. It enumerates every running processes, searches for payment data and saves it into a separate file, compresses and encrypts it, and then sends it through email to a pre-determined mail ID via SMTP.
"Instead of utilizing a third-party executable for emailing, the malware uses AutoIt routine that utilizes the Collaboration Data Objects (CDO) API suite which comes with Microsoft Windows," Jay Yaneza, a Threats Analyst, said.
The malware ensures its persistence and hides by being able to add and remove itself from the list of services, to download and delete files as needed, to masquerade malicious files as benign ones and hiding them within the %SYSTEM$ directory, and to store the stolen data in a .dat file that doesn't look out of place in the %SystemRoot%\system32 directory.
"While the RAM scraper component remains same, the data exfiltration component has seen several modifications â€“ implying that there are two, and possibly distinct, authors," Yaneza explained.
"We have seen PwnPOS working with other PoS malwares like Alina and BlackPOS, among small-to-medium companies within Japan, Australia, India, United States, Canada Germany and Romania, running 32-bit versions of either Windows 7 or Windows XP."
The company has provided threat indicators and a YARA rule to detect the RAM scraper component.