Cisco uncover new point-of-sales malware PoSeidon

28 Mar 2015

With the ever increasing number of transactions being carried out electronically, point of sales (PoS) systems now pose a more tempting target for cyber criminals.

A new strain of PoS malware has been uncovered by security researchers at networking company Cisco, that seeks to extract credit card data from memory and send it to remote servers.

PoSeidon, as the malware is called has more  sophisticated design than other PoS malware and resembles ZeuS in some ways. Designed to evade detection, it can communicate directly with command and control (C&C ) servers and self-update to execute new code. It also integrates self-protection mechanisms to guard against reverse engineering.

The infection started with a loader binary that, at the time of execution, looked to gain persistence on the target machine in order to survive a system reboot. It accomplished this by hiding itself in a process named WinHost32 and adding an entry to the registry.

The loader then contacted a C&C server, retrieved a URL containing another binary to download and execute. On downloading the binary, called FindStr, installed a keylogger and scanned the memory of the PoS device for any number sequences that could be credit card numbers. On verification that the digits it found were in fact credit card numbers, both keystrokes and card numbers were encoded and sent to a server.

"Incidents involving PoS malware have been on the rise, affecting many large organisations as well as small mom-and-pop establishments and garnering a lot of media attention," the researchers noted in a report.

"The Keylogger component was potentially used to steal passwords and could have been the initial infection vector," the researchers noted.

The stolen data was then uploaded to an exfiltration server and according to the researchers, most of the C&C servers and exfiltration servers used .ru domains.

"PoSeidon is another in the growing number of point-of-sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors," the researchers stated.

"As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families," they added. "Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats."

Researcher Craig Williams told SC Magazine, PoSeidon was particularly notable because it was self-updateable and had interesting evasions by using the combination of XOR, Base64, etc, and had direct communication with the exfiltration servers, as opposed to common PoS malware, that logged and stored for future exfiltration from another system.