Researchers at Trend Micro have come across a sample of a new point-of-sale (PoS) malware that appears to be under development.
Detected by the security firm as TSPY_POSLOGR.K, the threat relies on multiple components to carry out its mission, which makes it similar to a recently discovered variant of the notorious BlackPoS malware (TSPY_MEMLOG.A).
Poslogr is designed to read the memory associated with specific processes in an effort to obtain payment card information. The data is then saved to files named “rep.bin” and “rep.tmp.”
The list of targeted processes is specified in a .INI file that acts as a configuration file. However, researchers haven’t found the configuration file on the infected system so it’s uncertain which processes are scanned by the malware. The same configuration file also includes a variable that specifies the time interval for re-scanning the processes.
There are several other clues that have led experts to believe that Poslogr is either under development or still in the beta testing phase. For example, the malware’s code contains debugging information, it doesn’t connect to any command and control (C&C) server, and it doesn’t upload the harvested data.
Since Poslogr appears to be a multicomponent malware, researchers assume that the component responsible for transferring the dumped data is deployed as a package.
According to Trend Micro, the threat is distributed via drive-by downloads and with the aid of other malware.
Last week, researchers at threat intelligence company IntelCrawler reported uncovering a new PoS malware targeting electronic kiosks. Dubbed “d4re|dev1|,” the malware has been spotted on close to 80 machines in the European Union, the United States and Australia.
It’s not surprising that the number of threats designed to target PoS systems is increasing, considering that this type of malware has been successfully used in a large number of operations. In the attack against the U.S. retailer Target, cybercriminals managed to steal more than 40 million credit and debit card records with the aid of the BlackPOS malware.
The Backoff RAM scrapper has also been used in numerous attacks. In August, the U.S. Secret Service estimated that over 1,000 businesses had been hit.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
