Researchers at Trend Micro have come across a sample of a new point-of-sale (PoS) malware that appears to be under development.
Detected by the security firm as TSPY_POSLOGR.K, the threat relies on multiple components to carry out its mission, which makes it similar to a recently discovered variant of the notorious BlackPoS malware (TSPY_MEMLOG.A).
Poslogr is designed to read the memory associated with specific processes in an effort to obtain payment card information. The data is then saved to files named “rep.bin” and “rep.tmp.”
The list of targeted processes is specified in a .INI file that acts as a configuration file. However, researchers haven’t found the configuration file on the infected system so it’s uncertain which processes are scanned by the malware. The same configuration file also includes a variable that specifies the time interval for re-scanning the processes.
There are several other clues that have led experts to believe that Poslogr is either under development or still in the beta testing phase. For example, the malware’s code contains debugging information, it doesn’t connect to any command and control (C&C) server, and it doesn’t upload the harvested data.
Since Poslogr appears to be a multicomponent malware, researchers assume that the component responsible for transferring the dumped data is deployed as a package.
According to Trend Micro, the threat is distributed via drive-by downloads and with the aid of other malware.
Last week, researchers at threat intelligence company IntelCrawler reported uncovering a new PoS malware targeting electronic kiosks. Dubbed “d4re|dev1|,” the malware has been spotted on close to 80 machines in the European Union, the United States and Australia.
It’s not surprising that the number of threats designed to target PoS systems is increasing, considering that this type of malware has been successfully used in a large number of operations. In the attack against the U.S. retailer Target, cybercriminals managed to steal more than 40 million credit and debit card records with the aid of the BlackPOS malware.
The Backoff RAM scrapper has also been used in numerous attacks. In August, the U.S. Secret Service estimated that over 1,000 businesses had been hit.