POS Malware Continues To Evolve

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Here's yet another dose of computing pain for those running NT-based
versions of Windoze:

Micro$oft's motto:  If it works, it's not complicated enough.


POS Malware Continues To Evolve
New report out today details three prevalent families.


With a little over two weeks until the holiday shopping season kicks off
in earnest, a picture of the evolution of point of sale (POS) malware
has come into focus with a number of recent pieces of research of late.
A common theme recurring throughout is that POS malware is increasingly
maturing with different packages and families refined for specific
attack scenarios.

Just today, researchers with Cyphort Labs released a report that
dissected three families of POS malware associated with three distinct
breach incidents at Target, Home Depot, and UPS over the past
year--BlackPOS, FrameworkPOS, and Backoff respectively.


"Looking at the modes of operation of the three families one can clearly
identify two directions: one from the targeted attacks on Target and
Home Depot, and the other from the more generalized approach of
Backoff," they wrote. "Targeted attacks are identified by the fact that
the attacker chooses the target and specifically designs the attack,
while in a general approach, the nature and identity of the victim are
unknown to the attacker."

Tailored for attacks against dedicated targets, both FrameworkPOS and
BlackPOS have got multi-functional components for persistence, memory
scraping, process enumeration, and data exfiltration.

"They are most likely not from the same authors but FrameworkPOS leave
the strong impression of a copycat attack after former POS malware
incidents," the report says. "Basic principles and ideas are identical,
as of creating a service, scanning chunks of memory, pushing data to a
local SMB server and hiding the data in a fake binary file in system

The establishment of the multi-step approach all-in-one package comes
from years of refinement of these malware packages in the underground.
As Josh Grunzweig of Nuix explained in a recent talk at SecTor on POS
malware, malicious software targeting payment systems is hardly a new


"This past year alone you can't go more than a week without hearing some
story in the news of some company with tens of millions of cards stolen.
And it's this chaotic vibe," Grunzweig says. "In truth this stuff has
been around for a long time."

For example, first found in the wild last year, BlackPOS is "actually
not that sophisticated" and depends on code from mmon, a memory scraping
piece of malware first discovered in 2010, he says. In truth, he'd say
the first real advancement in POS malware came with the introduction of
the Dexter family of malware in late 2012.

"Dexter was kind of a game changer," he said. "All of a sudden its
pulling in a lot of interesting stuff, its memory scraping, its key
logging, it's doing this cool thing where it injects into Internet
Explorer so you can't kill it. Its exfiltrating data and one of the real
stand outs was the fact that it had a command-and-control server."

This approach paved the way for something like a Backoff, first found
and named by Grunzweig himself last year. According to an advisory from
the Department of Homeland Security, Backoff had already infected more
than 1,000 U.S. business at that point.

"Maybe the biggest takeaway from Backoff is that it is super, super
prevalent," Grunzweig says.

And, according to new research from Fortinet, it's still evolving. Last
week, Fortinet's researchers showed that several new versions of Backoff
have surfaced that include new tweaks, notably around obfuscation. Now
instead of disguising itself as a Java component, it is appearing as a
media player and it uses hash functions for APIs and the names of
blacklist processes. Modifications have been made to its C&C
communication component to evade detection. Additionally, the latest
version of the malware is now packed with a custom packer.  


"Like the API hashing function and the blacklist process name hashing
function, using a custom packer is yet another attempt to hinder the
analysis process," explains Hong Kei Chan.  


Site Timeline