Trend Micro Discovers Fresh PoS Malware Strain

Trend Micro the security company has detected one fresh PoS (point-of-sale) malicious program that seemingly has been waging attacks from no later than 2013 and that potentially works most effectively within 32-bit computers running Windows XP that most sales terminals use.

Trend Micro's researchers observe that the PoS malware named PwnPOS is truly the kind of malware which has managed in remaining undetected till now as it was constructed simply though cleverly although it was chanced with detection in future.

The PwnPOS has dual components -a binary that scrapes RAM and a data exfiltration binary. The first component doesn't undergo any change but the second one has undergone many alterations, suggesting two authors are responsible with the possibility that they're different persons. There is certain process' memory that the scraper binary goes through while stacks the data onto an associated file, whilst to exfiltrate data, the second binary relies on SMTP.

According to Jay Yaneza, Threats Analyst with Trend Micro, the dangerous PwnPOS malware is dependent on the SystemRoot%\system32 route of a system for it to send and receive missives from the C:\WINDOWS\system32\wnhelp.exe -service. Therefore, the malware can't work on the more recent 64-bit Windows computers as the expected route names are different. Thestack.com published this dated March 4, 2015.

However, according to Yaneza, the above stated admonitions mayn't be any problem as very many PoS terminals continue to use Windows XP while not necessarily require 64-bit OS deployments for themselves.

Trend observes that the PoS malware in discussion has been working side by side with filial PoS executables, most importantly BlackPOS and Alina as also chiefly within SMB environments inside Australia, India, Japan, Germany, Romania, Canada and USA.

Further, it reports that there are variants included in the RAM scraper PoS kind of malware like Chewbacca, BrutPOS, Decebal, Dexter and VSkimmer, however, these may've widely separate features like posing as Java, utilizing filenames that are socially-engineered, automatically updating data from command-and-control systems, injecting codes or using several exfiltration techniques. Usually, there is a self-eliminating 'kill switch' utility within this category, so the PoS stays undetected over a long time-period.

» SPAMfighter News - 3/14/2015