Cisco Security Team has found ia new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated.Security experts have long called for the use of end-to-end encryption technology to protect payment card data from the card reader all the way to the payment service provider, but the number of systems with this capability remains low.
It starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot.
The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
The keylogger component can be used to steal passwords and could also be responsible for spreading infections, the researchers said.
Once the data is verified using the Luhn algorithm, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
The data can be used to create cloned credit cards, and is typically sold on criminal markets. The demand for such data has driven the growth in the number of data breaches involving PoS malware.
These data breaches affect large organisations such as US retailer Target as well as small, family-run retail businesses.
The presence of large amounts of financial and personal information means these businesses and their retail PoS systems are attractive targets for cyber criminals.
PoSeidon demonstrates the great interest of the criminal underground in PoS systems, criminal crews are developing sophisticated techniques to compromise these systems.
The identified numbers are verified using the Luhn algorithm and then encrypted and sent to one of the given exfiltration servers, majority of which belongs to Russian domains:
- linturefa.com
- xablopefgr.com
- tabidzuwek.com
- lacdileftre.ru
- tabidzuwek.com
- xablopefgr.com
- lacdileftre.ru
- weksrubaz.ru
- linturefa.ru
- mifastubiv.ru
- xablopefgr.ru
- tabidzuwek.ru
Retailers beware about this new Trojan program targets point-of-sale (PoS) terminals, stealing payment card data that can then be abused by cybercriminals.
