We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.
Around this time last year, the U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware, a PoS RAM scraper malware family. Cybercriminals gathered roughly 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers. Home Depot also suffered recently from a data breach, which has so far cost the hardware mart more than $43 million in expenses to investigate the breach.
TSPY_POSLOGR.K: In the Beta Testing Phase?
Based on our initial analysis, this new PoS malware does not connect to any server to exfiltrate the dumped data. TSPY_POSLOGR.K reads memory from specified processes written in the .INI file and saves gathered dump torep.bin and rep.tmp.
Figure 1. In the case of TSPY_POSLOGR.K, dumped data is placed in rep.bin and rep.tmp. The word ‘FUCK’ is inserted in front of the data.
Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data. It is highly possible that this is deployed as a package.
The malware is dependent on its configuration file (which means that it’s starting to build flexibility). By default, the configuration file named as 1.ini is not present in the system, so we cannot tell which default processes are being scanned or read. The malware also does not display any known C&C communications and still has debug strings in its code. Because of this, we believe that this PoS malware is still in the beta testing stage or under development.
Figure 2. Code snippet of debug strings used
Figure 3. Expected content of the .INI file: Values of cryp , time, proc
We will continue to monitor this threat for more updates. In the meantime, users can stay safe online during the holiday shopping weekend by following the tips in the articles below:
Read more about PoS RAM Scraper Malware from our paper titled “PoS RAM Scraper Malware: Past, Present, and Future.”
With additional analysis by Rhena Inocencio
Hat tip goes out to Nick Hoffman of http://securitykitten.github.io/
'malware ' 카테고리의 다른 글
| OnionDuke: APT Attacks Via the Tor Network (0) | 2014.12.04 |
|---|---|
| The Regin Espionage Toolkit (0) | 2014.12.04 |
| CVE-2014-8439 Vulnerability: Trend Micro Solutions Ahead of the Game (0) | 2014.12.04 |
| When cookies lead to a DoS in phpMyAdmin CVE-2014-9218 (0) | 2014.12.04 |
| 'Viber'을 가장 한 스팸 메일, 사용자의 OS에 의해 유도 위치 변경 (0) | 2014.12.03 |