New POSeidon Malware Spotted in the Wild

A new breed of sophisticated POS malware steals credit card numbers from POS machines, according to Cisco researchers.

The malware family, dubbed “POSeidon,” infects machines to scrape memory for credit card information and exfiltrates the data for “harvesting and likely resale.”

RAM scraping is an old attack technique that has, in recent years, been repurposed to compromise payment systems. The malware behind it was initially simpler but has evolved into a complex and far-reaching malware family, now including socially engineered filenames, bot and network functionality. It now boasts improved data exfiltration capabilities – it can search for specific strings of data that look like credit card numbers, save them to a text file and silently steal the information in a couple of seconds.

Interestingly, the malware can resist a system reboot and runs in the device`s memory even if the current user logs off.

Resistance to reboot is achieved through a Loader binary – used to load and execute modules in various binary formats in a file system. When it runs, it checks to see if it`s being executed as WinHost.exe or WinHost32.exe. If it is not, it stops any Windows service from running with the name WinHost. Loader will then copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file there with the same name. Next, Loader will start a service named WinHost.

The Loader contacts the command-and-control center to retrieve an URL that contains another binary. The binary installs a keylogger that scans the memory of the POS device for strings of numbers that look like credit card numbers. After being verified using the Luhn algorithm, the credit card numbers are encrypted and sent to Russian (.ru) domains.

Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families,” Cisco said. “Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.”

To detect evidence of PoS intrusions immediately, retailers need to examine their detection capabilities regularly and closely watch the outbound traffic for any abnormalities. For instance, traffic going at off hours a specific location.