Researchers identify new powerful PoS malware
POS Software
09-03-2015 00:00:00
Researchers identify new powerful PoS malware
A new clan of Point of Sale (PoS) malware has been identified and studied by researchers of Trend Micro, a California-based global security software company pioneering in internet content security and threat management solution.

Expert stermed the malware as PwnPOS, and believed that it has been in use since 2013, or even before. It is an irony that how such blatant security breach got unnoticed for so long?

According to sources close to the researchers, PwnPOS, because of its simple and thoughtful construction, remained unnoticed all these years.

Containing two components - a Random Access Memory scraper binary and a binary does the data exfiltration - PwnPOS looks and works similar to other known POS malwares. It enumerates every running processes, searches for payment data and saves it into a separate file, compresses and encrypts it, and then sends it through email to a pre-determined mail ID via SMTP.

"Instead of utilizing a third-party executable for emailing, the malware uses AutoIt routine that utilizes the Collaboration Data Objects (CDO) API suite which comes with Microsoft Windows," Jay Yaneza, a Threats Analyst, said.

The malware ensures its persistence and hides by being able to add and remove itself from the list of services, to download and delete files as needed, to masquerade malicious files as benign ones and hiding them within the %SYSTEM$ directory, and to store the stolen data in a .dat file that doesn't look out of place in the %SystemRoot%\system32 directory.

"While the RAM scraper component remains same, the data exfiltration component has seen several modifications – implying that there are two, and possibly distinct, authors," Yaneza explained.

"We have seen PwnPOS working with other PoS malwares like Alina and BlackPOS, among small-to-medium companies within Japan, Australia, India, United States, Canada Germany and Romania, running 32-bit versions of either Windows 7 or Windows XP."

The company has provided threat indicators and a YARA rule to detect the RAM scraper component.
-K Ramanathan

No Comments Yet

Subscribe to comments feed

Leave a Reply

Your email address will not be published. Required fields are marked *

Let's Be Friends
Fb general logo Twitter icon Google Plus icon Youtube icon Pinterest Linkedin
Need help? Contact Us (or) Call us: 1800 123 3010

©2013 - 2019 : View site: Desktop 22 years domain experience