Researchers at Trend Micro have come across a sample of a new point-of-sale (PoS) malware that appears to be under development.
Detected by the security firm as TSPY_POSLOGR.K, the threat relies on multiple components to carry out its mission, which makes it similar to a recently discovered variant of the notorious BlackPoS malware (TSPY_MEMLOG.A).
Poslogr is designed to read the memory associated with specific processes in an effort to obtain payment card information. The data is then saved to files named “rep.bin” and “rep.tmp.”
The list of targeted processes is specified in a .INI file that acts as a configuration file. However, researchers haven’t found the configuration file on the infected system so it’s uncertain which processes are scanned by the malware. The same configuration file also includes a variable that specifies the time interval for re-scanning the processes.
There are several other clues that have led experts to believe that Poslogr is either under development or still in the beta testing phase. For example, the malware’s code contains debugging information, it doesn’t connect to any command and control (C&C) server, and it doesn’t upload the harvested data.
Since Poslogr appears to be a multicomponent malware, researchers assume that the component responsible for transferring the dumped data is deployed as a package.
According to Trend Micro, the threat is distributed via drive-by downloads and with the aid of other malware.
Last week, researchers at threat intelligence company IntelCrawler reported uncovering a new PoS malware targeting electronic kiosks. Dubbed “d4re|dev1|,” the malware has been spotted on close to 80 machines in the European Union, the United States and Australia.
It’s not surprising that the number of threats designed to target PoS systems is increasing, considering that this type of malware has been successfully used in a large number of operations. In the attack against the U.S. retailer Target, cybercriminals managed to steal more than 40 million credit and debit card records with the aid of the BlackPOS malware.
The Backoff RAM scrapper has also been used in numerous attacks. In August, the U.S. Secret Service estimated that over 1,000 businesses had been hit.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
