Researchers find new POS malwares

Researchers have now discovered two new and different strains of point of sale (POS) malware including one that has gone largely undetected for the past five years.

Researchers have described Cherry Picker, a set of PoS malware which in one form or another has been targeting businesses that sell food and beverage since 2011.

The malware is reportedly said to be used in a recent breach at an unidentified U.S. restaurant chain.
The new form of memory-scraping POS malware has become a threat for retailers.

The Federal Bureau of Investigation (FBI) has released a warning to keep guards against the malware as it can infect any Windows-based POS network and can encrypt the data stolen, making detection difficult.
Researchers with Trustwave have noticed some basic elements of the malware back in 2011 but the malware has gone through three iterations in the years since, adding new configuration files, ways to scrape memory, and remain persistent. 

The malware has managed to stay covert since many years by using a combination of configuration files, encryption, obfuscation, and command line arguments. 

During his research Eric Merritt, the primary researcher who observed the malware found a file on a system infected by Cherry Picker that helped cover the malware’s tracks all these years, too. The file contains hardcoded paths to the malware, exfiltration files, and legitimate files on the system. A special “custom shredder function” in the code goes ahead and overwrites the file multiple times with 00’s, FF’s, and “cryptographic junk” before going on to shred a list of malware and exfiltration file locations, and the executable itself. From there, the code removes any remaining traces of the PoS malware.

With this reaserchers have also discovered the existence of another type of POS malware known as Abaddon. This is relatively newer to Cherry Picker.

Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader which in turn, downloaded another downloader which downloaded shellcode that turned into Abaddon.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Kevin Epstein, Vice President of Threat Operations at the firm.

In addition, security firm Trend Micro is warning of a new malware called Malum POS which targets the Oracle Micros POS system.

Attackers are going to have several choices when it comes to POS malware this season.

Share this with Your friends: