Researchers from Proofpoint are today announcing their discovery of Abaddon, a new Point of Sale malware which is being downloaded in the process of a Vawtrak infection. This use of additional payloads to enhance attack capabilities offers another example of efforts by threat actors to expand their target surfaces through the delivery of multiple payloads in a single campaign, in this case by including potential PoS terminals.
Proofpoint has published a blog post announcing its discovery, however key findings are listed below:
Spreading with the known banking Trojan Vawtrak, this new malware spreads by both email and web infections. It includes features designed to resist analysis and encode stolen credit card data. Proofpoint has seen it broadly targeting organizations worldwide and not focus solely on the retail sector.
The practice by threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice. While using this technique to deliver point of sale malware is less common, the approach of the holiday shopping season gives cybercriminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.
Organizations with PoS terminals that are also used by employees as regular computers are especially vulnerable. Proofpoint encourages organizations to follow the best practice of separating PoS terminals and end-user networks that carry employee Internet, email and other traffic.
In response to the discovery, Patrick Wheeler, director of Threat Intelligence for Proofpoint, said:
“The appearance of new PoS malware on the eve of the holiday shopping season highlights that despite the adoption of EMV cards, credit card swipes remain a valuable target for cybercriminals. AbaddonPOS takes advantage of organizations that use the same computer to process PoS transactions and check emails. It resists analysis and encodes stolen credit card data for easy transfer. Organizations need to silo their PoS terminals and use advanced cybersecurity technology that stops the latest malware from getting in—and prevents sensitive credit card data from unauthorized removal.”