Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cybercriminals Use Angler Exploit Kit to Target PoS Systems

Cybercriminals have been using the Angler exploit kit to identify and infect point-of-sale (PoS) systems.

Cybercriminals have been using the Angler exploit kit to identify and infect point-of-sale (PoS) systems.

According to Trend Micro, the attackers are using Angler to deliver a reconnaissance Trojan detected by the security firm as TROJ_RECOLOAD.A. Once it infects a device, this piece of malware downloads additional threats depending on what type of payment systems it finds.

In the attacks observed by researchers, the Angler campaign involves malvertising and exploits for two recently patched Adobe Flash Player vulnerabilities. The exploit kit uses its fileless installation feature to write TROJ_RECOLOAD.A into the device’s memory instead of its hard drive where it can be detected more easily.

After it’s deployed on a computer, TROJ_RECOLOAD.A checks for the presence of virtualization, sandbox and analysis tool modules, it checks the name of the current user to see if it’s related to malware analysis, and scans running processes in search of applications such as Wireshark, Dumpcap, TCPView, and OllyDbg. If there is any indication that it’s being analyzed, the malware doesn’t execute its main routine.

If the presence of malware analysis tools is not detected, the Trojan checks the infected system to determine which of three payloads to drop.

In the first case, the threat checks the system’s URL cache for PoS-related URLs. In the second case, it uses the “net view” command to determine if the computers on the infected network have names like “POS,” “STORE,” “SHOP” or “SALE.” If none of these conditions are met, the malware drops its default payload.

Trend Micro has not been able to determine which payload is dropped in each of these cases because the command and control (C&C) servers used by the malware have been inaccessible.

Researchers only managed to obtain the payload for the scenario where the malware finds PoS-related URLs in the URL cache. In this case, the Trojan drops TROJ_RECOLOAD.B, a less stealthy version of the threat that injects itself into the explorer.exe process and checks for the presence of processes associated with Internet Explorer, Firefox and Chrome.

Experts believe the malware could be looking for the presence of web browsers because it’s targeting web-based terminals.

Trend Micro has noted that the malware is also downloaded if TROJ_RECOLOAD.A finds the string “Verifone” in a certain registry. Verifone is an electronic payment and PoS solutions provider.

“Using exploit kits can be seen as an ingenious way of distributing PoS malware. Like using a botnet, exploit kits widens the net cast by cybercriminals for potential victims. Of course, using a compromised site or malvertisements wouldn’t necessarily guarantee that a PoS system will be caught—which is where the filtering comes in,” Trend Micro threat response engineer Anthony Joe Melgarejo explained in a blog post.

Earlier this month, Trend Micro reported that cybercriminals had started using the Andromeda botnet to deliver a new PoS malware dubbed GamaPOS.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.