Connect with us

Hi, what are you looking for?



Botnet Takes “Shotgun” Approach to Hack PoS Systems

A new malicious campaign aimed at infiltrating point-of-sale (PoS) systems around the world is currently underway, and taking advantage of powerful, highly adaptable tools, researchers at Trend Micro warn.

A new malicious campaign aimed at infiltrating point-of-sale (PoS) systems around the world is currently underway, and taking advantage of powerful, highly adaptable tools, researchers at Trend Micro warn.

According to the security company, the cybercriminals behind the campaign, which has been called operation Black Atlas, are using a “potentially powerful, adaptable, and invisible botnet” designed to find PoS systems within networks. The operation is targeting small and medium sized businesses worldwide, including a healthcare organization in the US, Trend Micro says.

Operation Black Atlas received its name from the BlackPOS malware that is primarily used to infect targeted systems, and is said to have active since September 2015, which gave it enough time to prepare for the holiday shopping season. It targets businesses that rely on card payment systems, including those in healthcare, retail, and more industries.

In a recent blog post, Trend Micro threat analyst Jay Yaneza explained that the masterminds behind the operation use a wide array of penetration testing tools to find vulnerable systems, including brute force or dictionary attack tools, SMTP (Simple Mail Transfer Protocol) scanners, and remote desktop viewers. Many of these tools can be easily downloaded from the Internet.

The Black Atlas operation works in stages, with the penetration testing being only the initial one, likely to compromise mainly networks with weak password practices. This first stage employs a “shotgun” approach to infiltrate networks, as the Black Atlas operators are not zeroing in on specific targets, but simply check available ports on the Internet and end up with multiple targets at once.

After the use of a “Swiss army knife” set of tools to check how they can best infiltrate systems during an intelligence gathering or reconnaissance period, the cybercriminals behind Black Atlas create a test plan and use a second set of tools to penetrate networks. After infiltration, they familiarize themselves with the environment and start seeding PoS threats.

Some of the malware used in this operation includes variants of malware such as Alina, NewPOSThings, a Kronos backdoor, and BlackPoS, also known as Kaptoxa. The attackers also introduced other tools and threats via a built-in command-line FTP, as the initial site revealed last September to be hosing Katrina and CenterPoS is blocked by anti-malware solutions.

Advertisement. Scroll to continue reading.

According to Trend Micro, Black Atlas operators have already managed to steal user credentials to websites that contain sensitive information, email accounts, and Facebook. In the case of a healthcare organization in the US, remote access tools were used to steal more information and to move laterally within the network.

Trend Micro researchers also revealed that Black Atlas masterminds also used the Gorynych or Diamond Fox botnet in some installations. Apparently, cybercriminals also managed to retrofit the new Gorynych backdoor to use BlackPOS, while taking advantage of old PoS malware to gather financial information on their victims.

“Gorynich was used to download a repurposed BlackPOS malware with RAM scraping functionality and upload all the dumped credit card numbers in memory. As the original BlackPOS used a text file to store pilfered credit card data, Gorynych now grabs that text file and does an HTTP POST to complete the data exfiltration,” Jay Yaneza notes.

BlackPOS was used in the credit card data breaches at Target last year, when millions of credit and debit card account numbers of customers across the country were compromised. Attackers installed the RAM scraping malware on PoS systems at retail locations across the country, which allowed them to read the data stored on the credit or debit card’s magnetic stripe when the shoppers swiped their cards through the card reader.

Cybercriminals continue to release new PoS malware, with three different variants observed in the last month, including Cherry Picker, which appears to be four years old, but managed to stay under the radar since the first infection in 2011. A new malware called AbaddonPOS was found by Proofpoint in early November, while iSIGHT Partners detailed ModPoS, a modular malware that managed to avoid detection since 2013.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...