Security researchers from multiple firms have uncovered two new malware families targeting retail point-of-sale systems. The first variant, known as PwnPOS, uses a “simple but thoughtful construction” to remain undetected on compromised systems.
A report from Trend Micro revealed that the malware family may have been active since as far back as 2013 and has managed to fly under the radar due to its sneaky programming. The malicious software is made up of two main components, a RAM scraper binary that remains constant and a data exfiltration module utilizing two separate binaries. The exfiltration component uses two different email addresses according to researchers, making it very difficult to trace.
The second piece of malware, LogPOS, uses Windows mailslots to send attackers stolen credit card information. Mailslots are the mechanism through which one-way interprocess communications take place, allowing applications to store messages and users can retrieve them.
Nick Hoffman, a researcher at security firm Morphick that discovered the LogPOS malware, wrote that using Windows mailslots to deliver stolen data isn’t a new technique for malware. While similar methods have been leveraged as part of APT attacks in the past, authors of POS malware rarely used mailslots until now.
“Because LogPOS injects code into various processes and has each of them search their own memory, it can’t use a log, since they can’t all open the same file with write access at once,” Hoffman wrote. “Instead, it uses mailslots. In this case, the main executable creates the mailslot and acts as the mailslot server, while the code injected into the various processes acts as a client, writing carved credit card numbers to the mailslot for direct transmission to the C2 [server].”
Hoffman went on to say that the LogPOS malware family’s use of mailslots allows it to easily avoid detection from the traditional methods companies would use to identify POS threats. Many retail security tools scan files for unencrypted credit card data, but because this malware writes the information into a mailslot, it cannot be discovered.
POS malware attacks becoming more frequent, sophisticated
Security vendors have been experiencing a massive increase in the amount of POS malware they’re encountering. One firm reported that there have been more POS variants found in the last six months than in the last few years combined. Clearly the reward of successfully exploiting a retailer’s POS system is too great for cybercriminals to be deterred by security precautions, so businesses will have to not only increase their efforts, but try something new as well.
Instead of the traditional cybersecurity methods that are quickly becoming outdated, retailers should considering implementing a whitelisting solution like Faronics Anti-Executable. With this program, businesses are able to block unapproved applications from being run and protect critical hardware from being compromised.