Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Attack on European PoS Vendor Linked to PoSeidon Malware Operation: RSA

The PoSeidon malware may not be God of the ocean of cyber-threats in the wild, but it is linked to a recent attack detected against a popular point-of-sale vendor (PoS) in Europe, researchers said. 

The PoSeidon malware may not be God of the ocean of cyber-threats in the wild, but it is linked to a recent attack detected against a popular point-of-sale vendor (PoS) in Europe, researchers said. 

According to EMC’s RSA security division, a malicious email sent to infect the PoS vendor has a number of technical ties to the PoSeidon operation. PoSeidon was publicly identified by Cisco Systems back in March. According to Cisco, the malware scrapes memory in order to find number sequences that match up with formats used by Visa, MasterCard, AMEX and Discover, and uses the Luhn algorithm to verify whether credit or debit card numbers are valid.

“PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” members of Cisco’s Security Solutions team blogged. “PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.”

In the attack reported by RSA, the email in question was sent using a domain resembling one legitimately registered by a restaurant in New York City. The email contained a Word document that dropped the Vawtrak banking Trojan.

“The recipient email address was associated with an Exchange distribution email list of a popular POS vendor in Europe,” blogged RSA’s Kent Backman. “The recipient email address could be found using an Internet search engine.  We do not know if this exploitation campaign was successful.”

“The spoof domain was registered using the email address SILLITOEXPYA(at)RAMBLER.RU,” he continued, adding that the email address had been used to register 40 other domains, many of which link to multiple malware campaigns. Three of the domains were highlighted by Cisco’s Talos threat intelligence team in its investigation of PoSeidon.

Several samples of malware called out to the domains also used by PoSeidon, he noted.

Advertisement. Scroll to continue reading.

“It is possible that the merchant being spoofed could be a customer of the targeted POS vendor,” blogged Backman. “We do not know if the domain and crafted email was created as “one-off” infrastructure specifically to target the European POS vendor, or multiple vendors.  However, we do know that the mail exchange (MX) record for the restaurant spoof domain stopped resolving to the IP address shortly after the malicious attachment was processed by VirusTotal, suggesting some attempt by the actors to cover their tracks after a possibly unsuccessful exploitation campaign. The MX record could have been in place to allow two-way email interaction with victims targeted with the malware attachment.”

The ultimate goal of the attackers may not have been to compromise the PoS vendor, he added. Instead, they may actually be trying to subvert the entire supply chain.

“The threat’s principle objective may be to establish lateral access to merchants and their point of sales systems: the source of payment card info,” he explained.

“It should be noted,” he blogged, “that the POS vendor targeted in this campaign posted on their website more than one hundred business logos representing 82 commercial partners, 35 technological partners and 18 solution integrators. Should the compromise spread laterally to one of these, the following might be gathered: partner knowledge-base, data for social engineering campaigns, email addresses, points of contact, detailed knowledge of hardware configuration and deployment [and] network topologies and infrastructure.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...