Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New PoS Malware Hits Victims Via Spam Camapign: FireEye

Researchers at FireEye have identified a new strain of point-of-sale (POS) malware being used in a spam campaign.

Researchers at FireEye have identified a new strain of point-of-sale (POS) malware being used in a spam campaign.

The malware has been dubbed NitlovePoS and can capture and exfiltrate both track one and track two data from payment cards by scanning the running processes of the compromised machine. According to FireEye, cybercriminals have launched an attack campaign using emails with subject titles such as ‘My Resume’ and ‘Any Openings?’. The campaign is believed to have started May 20. Inside the emails is an attachment that is disguised as a resume but is actually a Word document with an embedded malicious macro.

“To trick the recipient into enabling the malicious macro, the document claims to be a ‘protected document’,” blogged FireEye researchers Nart Villeneuve and Daniel Regalado. “If enabled, the malicious macro will download and execute a malicious executable from 80.242.123.155/exe/dro.exe.”

The cybercriminals behind this operation have been updating the payload, the researchers explained. The two payloads FireEye has observed beacon to the same server from which they are downloaded. They then receive instructions to download additional malware hosted on the server.

“We focused on the “pos.exe” malware and suspected that it maybe targeted Point of Sale machines,” the researchers blogged. “We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXE’s [hosted] on that server, we have only observed three downloads of “pos.exe”.”

The malware adds itself to the Run registry key to guarantee it will run after every reboot, they explained.

“NitlovePOS expects to be run with the “-” sign as argument; otherwise it won’t perform any malicious actions,” the researchers blogged. “This technique can help bypass some methods of detection, particularly those that leverage automation.”

“If the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data,” they continued. “If it is not successful, NitlovePOS will sleep for five minutes and restart the searching effort.”

Advertisement. Scroll to continue reading.

NitlovePoS is just one of several pieces of POS malware that have appeared so far in 2015, which has seen the emergence of malware such as Punkey and FighterPOS. According to market research firm ABI Research, the growing focus on POS systems by attackers will boost the market for security solutions aimed at protecting the point-of-sale environment. In particular, the firm cited next-generation firewalls as a key technology for enforcing network segmentation.

“The key advantage that NGFW (next-generation firewalls) provides for network segmentation is application servers and data can be designated in different segments based on their risk factors and security classifications, with access to them tightly controlled,” said Monolina Sen, ABI Research’s senior analyst in digital security, in a statement. 

ABI Research predicts the number of POS-related security incidents with confirmed data exposure will increase by the end of 2015.

“Even cybercriminals engaged in indiscriminate spam operations have POS malware available and can deploy it to s subset of their victims,” the FireEye researchers noted. “Due to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminals a window of opportunity to exploit the use of a new variant. We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cybercrime marketplace.”

 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.