In this article, MrTansey, security researcher at Lancope describes the top 10 most prolific POS malware families.
Summary:
Cybercriminals continue to lead the malware race. As security technologies advance, in an effort to detect or protect against malware, so does the malware itself. Attackers are dedicated, persistent and very clever. Criminals follow their own software development lifecycle and test their malware against anti-virus solutions to make sure it evades detection. They incorporate usernames, passwords and network addresses for their specific targets into their code and, as long as money can be made from the spoils of their conquests, they won’t stop.
One especially lucrative target for attackers is retail point-of-sale (POS) systems. If constant reports of breached retailer after breached retailer hasn’t already provoked concern, it’s time for businesses to get properly informed about POS malware.
What is Point-Of-Sale (POS) Malware?
Point-of-sale (POS) malware is highly customised malicious software written to identify, aggregate and exfiltrate cardholder data (CHD). According to estimates, cybercrime and data breaches involving POS malware have driven organised crime profits into the billions of dollars.
One of the best things that a consumer can do when it comes to point-of-sale malware is to keep on top of where their money is being spent. Go through monthly account statements and turn on email/text alerting for transactions, and periodically review open lines of credit.
Point-of-sale malware has proven to be a successful venture, so it’s no surprise that we've seen more advanced families come to light. We’re now seeing families, like Soraya, broadening the scope of information being captured and the methods they use to do so. Additionally, we're now seeing malware authors doing things specifically to make analysis more difficult for when their malware is ultimately found.
Criminals may deploy point-of-sale malware manually on networks they’ve already breached or trick users into doing it themselves, but what’s alarming is the amount of success that criminals have had by simply looking for point-of-sale systems protected from the internet by little more than weak or even default credentials.
Having the know-how to the produce tools like those used against major retailers is not something a would-be attacker needs to be concerned with. While writing custom malware is an option, multiple point-of-sale malware families, for example BlackPOS and vSkimmer, have been found for sale online offering custom builders, back-ends, and even technical support.
While large retailers are appealing to criminals due to the number of cards they process, smaller retailers often lack the technical controls that make compromise difficult and the expertise to discover these compromises when they happen.
Family Notes
rdasrv
‘Rdasrv’ is an early example of point-of-sale malware. It looks for Track 1 and 2 data in specific, hardcoded point-of-sale process names to scrape the memory of using hardcoded regexes. It had no ability to exfiltrate data automatically- it only wrote information to a file on disk which means that attackers needed to be able to collect their data in some other fashion.
Alina
Alina is an example of point-of-sale malware that looks for Track 1 and 2 information without a specific list of target processes. It skips over memory for programs that may have large amounts of memory and a low chance of containing card information, like web browsers. It is capable of automatically exfiltrating information over the network.
VSkimmer
VSkimmer is point-of-sale malware distributed as a customisable kit, meaning people who have purchased it can automatically generate malware using their own configuration options. These generated samples have been seen searching for Track 2 data and use a process blacklist containing the names of certain windows processes unlikely to contain credit card information. It is also capable of downloading and executing other applications (like malware) at the command of its controller. Interestingly, VSkimmer supports automatic exfiltration over the network as well as the ability to dump stored credit card information to a thumb drive with a pre-determined name. This is particularly useful for ‘inside threats’ with physical access.
Dexter
In addition to simply looking for Track 1 and 2 credit card information, Dexter also has a keylogging component to capture keystrokes and other input. It maintains a process blacklist similar to VSkimmer. Dexter is also capable of automatic exfiltration over the network as well as receiving commands to do things like download and execute other files or remove itself.
BlackPOS
BlackPOS is point-of-sale malware that searches for both Track 1 and 2 information. Certain versions are capable of using user-inputted search criteria which makes the malware easy to repurpose. BlackPOS has also been observed attempting to brute force RDP logins of other hosts. It is capable of multiple types of network based exfiltration, including email, ftp, and utilising an internal ‘dump server.’ The source code of BlackPOS was leaked which resulted in the ability for anyone who obtains it to modify/recreate it.
Decebal
Decebal is point-of-sale malware that searches for both Track 1 and Track 2 information. In addition to searching for credit card information, it also uses some stealth techniques. It attempts to avoid analysis environments like sandboxes and debuggers. It is capable of using the network for exfiltration, where it also exfiltrates the names of installed anti-virus products to its controllers. Like other families, Decebal maintains a list of processes to not scan for card data. It has also been observed being distributed via drive-by-download. Like BlackPOS, Decebal has had its source code leaked.
JackPOS
JackPOS is point-of-sale malware that searches for both Track 1 and 2 information. Like other families, JackPOS also maintains a blacklist of process names and exfiltrates data over the network.
Soraya
Soraya is a notable point-of-sale malware family that searches for both Track 1 and 2 information. It searches non-blacklisted process memory for credit card information, but Soraya also injects itself into processes in order to capture data transmitted in web requests. It exfiltrates captured credit card information as well as web requests over the network. Soraya uses packing to obfuscate its executable file in order to make analysis more difficult.
ChewBacca
ChewBacca is a point-of-sale malware family that is notable for its use of Tor hidden services for data exfiltration. In addition to searching for Track 1 and 2 data, ChewBacca also has a keylogging component.
BrutPOS
BrutPOS is point-of-sale malware notable for its use of brute force attacks in attempt to compromise additional systems. It targets known Point-of-sale software process names for scanning, and offers attackers the ability to do custom searches like BlackPOS.
Backoff
Backoff is point-of-sale malware that searches for Track 1 and 2 data by scanning the memory of processes that are not blacklisted. Like Soraya, it uses custom obfuscation in an attempt to make analysis more difficult. It is also capable of downloading and executing additional files. Like BlackPOS and BrutPOS, Backoff has been observed being distributed by exposed POS systems with weak RDP credentials.