Freshly detected point of sale (PoS) malware which infects machines to scrape for credit card information and exfiltrate that data to external servers has been detected.
According to research from Cisco, “PoSeidon” contains several components, including the ability to maintain persistence on the target machine in order to survive a reboot, and it installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers.
PoSeidon starts with a “Loader” binary that maintains the persistence, and contacts a command and control server to retrieve a URL which contains another binary which installs a keylogger and scans the memory of the PoS device. Upon verifying that the numbers are credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
The “Loader” copies itself to the system, overwriting any file in that location that would happen to have the same name. If Loader is not able to install itself as a service, it will try to find other instances of itself running in memory and terminate them
Cisco said that PoSeidon is another example of the sophisticated techniques and approaches of malware authors and as long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.
Tim Erlin, director of product management at Tripwire, said that as PoS malware has been extremely productive for criminals in the last few years, there’s little reason to expect that will change anytime soon. “It’s no surprise that as the information security industry updates tools to detect this malicious software, the authors will continue to adjust and innovate to avoid detection,” he said.
“Standards like the PCI Data Security Standard can only lay the groundwork for protecting retailers and consumers from these threats. A standard like PCI can specify a requirement for malware protection, but any specific techniques included may become obsolete as malware evolves. There are, however, some core capabilities that detect activity common to most malware. Identifying and patching vulnerabilities can prevent malware from getting in to the system in the first place. Monitoring for new files and changes to files can detect when malware installs itself on a system, as Poseidon does.”
Sagie Dulce, security researcher at Imperva, doubted that this malware is any more sophisticated than other previous known POS malware He said: “The blog says that the keylogger deletes registry keys stored by a remote access application called ‘LogMeIn’. Perhaps this is a clue about the initial compromise – the attackers may have stolen LogMeIn credentials in order to remotely access the POS device (and perhaps many others with the same account) and install the POS malware.”