The PoSeidon malware may not be God of the ocean of cyber-threats in the wild, but it is linked to a recent attack detected against a popular point-of-sale vendor (PoS) in Europe, researchers said.
According to EMC’s RSA security division, a malicious email sent to infect the PoS vendor has a number of technical ties to the PoSeidon operation. PoSeidon was publicly identified by Cisco Systems back in March. According to Cisco, the malware scrapes memory in order to find number sequences that match up with formats used by Visa, MasterCard, AMEX and Discover, and uses the Luhn algorithm to verify whether credit or debit card numbers are valid.
“PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” members of Cisco’s Security Solutions team blogged. “PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.”
In the attack reported by RSA, the email in question was sent using a domain resembling one legitimately registered by a restaurant in New York City. The email contained a Word document that dropped the Vawtrak banking Trojan.
“The recipient email address was associated with an Exchange distribution email list of a popular POS vendor in Europe,” blogged RSA’s Kent Backman. “The recipient email address could be found using an Internet search engine. We do not know if this exploitation campaign was successful.”
“The spoof domain was registered using the email address SILLITOEXPYA(at)RAMBLER.RU,” he continued, adding that the email address had been used to register 40 other domains, many of which link to multiple malware campaigns. Three of the domains were highlighted by Cisco’s Talos threat intelligence team in its investigation of PoSeidon.
Several samples of malware called out to the domains also used by PoSeidon, he noted.
“It is possible that the merchant being spoofed could be a customer of the targeted POS vendor,” blogged Backman. “We do not know if the domain and crafted email was created as “one-off” infrastructure specifically to target the European POS vendor, or multiple vendors. However, we do know that the mail exchange (MX) record for the restaurant spoof domain stopped resolving to the IP address 184.108.40.206 shortly after the malicious attachment was processed by VirusTotal, suggesting some attempt by the actors to cover their tracks after a possibly unsuccessful exploitation campaign. The MX record could have been in place to allow two-way email interaction with victims targeted with the malware attachment.”
The ultimate goal of the attackers may not have been to compromise the PoS vendor, he added. Instead, they may actually be trying to subvert the entire supply chain.
“The threat’s principle objective may be to establish lateral access to merchants and their point of sales systems: the source of payment card info,” he explained.
“It should be noted,” he blogged, “that the POS vendor targeted in this campaign posted on their website more than one hundred business logos representing 82 commercial partners, 35 technological partners and 18 solution integrators. Should the compromise spread laterally to one of these, the following might be gathered: partner knowledge-base, data for social engineering campaigns, email addresses, points of contact, detailed knowledge of hardware configuration and deployment [and] network topologies and infrastructure.”