A new malicious campaign aimed at infiltrating point-of-sale (PoS) systems around the world is currently underway, and taking advantage of powerful, highly adaptable tools, researchers at Trend Micro warn.
According to the security company, the cybercriminals behind the campaign, which has been called operation Black Atlas, are using a “potentially powerful, adaptable, and invisible botnet” designed to find PoS systems within networks. The operation is targeting small and medium sized businesses worldwide, including a healthcare organization in the US, Trend Micro says.
Operation Black Atlas received its name from the BlackPOS malware that is primarily used to infect targeted systems, and is said to have active since September 2015, which gave it enough time to prepare for the holiday shopping season. It targets businesses that rely on card payment systems, including those in healthcare, retail, and more industries.
In a recent blog post, Trend Micro threat analyst Jay Yaneza explained that the masterminds behind the operation use a wide array of penetration testing tools to find vulnerable systems, including brute force or dictionary attack tools, SMTP (Simple Mail Transfer Protocol) scanners, and remote desktop viewers. Many of these tools can be easily downloaded from the Internet.
The Black Atlas operation works in stages, with the penetration testing being only the initial one, likely to compromise mainly networks with weak password practices. This first stage employs a “shotgun” approach to infiltrate networks, as the Black Atlas operators are not zeroing in on specific targets, but simply check available ports on the Internet and end up with multiple targets at once.
After the use of a “Swiss army knife” set of tools to check how they can best infiltrate systems during an intelligence gathering or reconnaissance period, the cybercriminals behind Black Atlas create a test plan and use a second set of tools to penetrate networks. After infiltration, they familiarize themselves with the environment and start seeding PoS threats.
Some of the malware used in this operation includes variants of malware such as Alina, NewPOSThings, a Kronos backdoor, and BlackPoS, also known as Kaptoxa. The attackers also introduced other tools and threats via a built-in command-line FTP, as the initial site revealed last September to be hosing Katrina and CenterPoS is blocked by anti-malware solutions.
According to Trend Micro, Black Atlas operators have already managed to steal user credentials to websites that contain sensitive information, email accounts, and Facebook. In the case of a healthcare organization in the US, remote access tools were used to steal more information and to move laterally within the network.
Trend Micro researchers also revealed that Black Atlas masterminds also used the Gorynych or Diamond Fox botnet in some installations. Apparently, cybercriminals also managed to retrofit the new Gorynych backdoor to use BlackPOS, while taking advantage of old PoS malware to gather financial information on their victims.
“Gorynich was used to download a repurposed BlackPOS malware with RAM scraping functionality and upload all the dumped credit card numbers in memory. As the original BlackPOS used a text file to store pilfered credit card data, Gorynych now grabs that text file and does an HTTP POST to complete the data exfiltration,” Jay Yaneza notes.
BlackPOS was used in the credit card data breaches at Target last year, when millions of credit and debit card account numbers of customers across the country were compromised. Attackers installed the RAM scraping malware on PoS systems at retail locations across the country, which allowed them to read the data stored on the credit or debit card’s magnetic stripe when the shoppers swiped their cards through the card reader.
Cybercriminals continue to release new PoS malware, with three different variants observed in the last month, including Cherry Picker, which appears to be four years old, but managed to stay under the radar since the first infection in 2011. A new malware called AbaddonPOS was found by Proofpoint in early November, while iSIGHT Partners detailed ModPoS, a modular malware that managed to avoid detection since 2013.