Security Experts:

Connect with us

Hi, what are you looking for?



BrutPOS Botnet Targets POS Systems With Brute-Force Attacks

Cybercriminals are using thousands of compromised computers to target point-of-sale (PoS) systems from which they can steal payment card information, FireEye reported on Wednesday.

Cybercriminals are using thousands of compromised computers to target point-of-sale (PoS) systems from which they can steal payment card information, FireEye reported on Wednesday.

The malware used in these attacks, dubbed BrutPOS by FireEye, was first spotted in February and was later analyzed in March by AlienVault, but the full scope of the operation wasn’t known at the time. For the time being, researchers don’t know exactly how the malware is distributed, but they have found a website that serves the threat, and they believe the attackers might have used specialized distribution services provided by other cybercriminals.

According to FireEye, once the malware infects a computer, it connects to a command and control (C&C) server from which it receives a list of usernames, passwords and IP addresses. This information is used to access Remote Desktop Protocol (RDP) servers and compromise PoS systems.

The malware connects to port 3389, which is the default port for RDP servers, and if the port is open, it uses the credentials supplied by the C&C to carry out a brute-force attack. According to FireEye, if the RDP server is successfully breached, the credentials used to access it and its IP address are sent back to the attackers.

The list of usernames includes “backupexec,” “datacard,” “manager,” “pos,” “micros” and “microssvc,” which indicates that the cybercriminals are targeting specific systems, FireEye said.

So far, FireEye has identified five C&C servers in Russia, Germany and Iran, though three of them are currently inactive. By accessing the control panel from which the attackers control the BrutPOS botnet, security researchers determined that a total of over 5,600 devices have been compromised, but only some of them are active at any given time.

The infected devices are spread out across 119 countries, but most infections were spotted in Russia, India, Vietnam, Iran, Taiwan, Ukraine, Turkey, Serbia, Egypt and Mexico.

As far as the targeted RDP servers are concerned, most of them are located in the United States. In fact, of the total of 60 systems compromised by the attackers over a two-week period, 51 are in the United States, the security firm said.

Furthermore, a honeypot set up by FireEye has shown that the attackers connect to compromised servers from which they attempt to take credit card information. Once they’re done with a system, the cybercriminals format (wipe) its hard drive to cover their tracks. Researchers have also uncovered an executable that extracts payment card data from running processes.

Based on the Russian language interface of the BrutPOS administration panel and the IP addresses used to connect to it, FireEye believes that the individuals behind this operation are most likely located in Russia or Ukraine.

“POS systems remain a high priority target for cybercriminals,” FireEye researchers noted in a blog post. “While new malware and more advanced attacks are taking place, standard attacks against weak passwords for remote administration tools presents a significant threat.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.