Cybercriminals have been using the Angler exploit kit to identify and infect point-of-sale (PoS) systems.
According to Trend Micro, the attackers are using Angler to deliver a reconnaissance Trojan detected by the security firm as TROJ_RECOLOAD.A. Once it infects a device, this piece of malware downloads additional threats depending on what type of payment systems it finds.
In the attacks observed by researchers, the Angler campaign involves malvertising and exploits for two recently patched Adobe Flash Player vulnerabilities. The exploit kit uses its fileless installation feature to write TROJ_RECOLOAD.A into the device’s memory instead of its hard drive where it can be detected more easily.
After it’s deployed on a computer, TROJ_RECOLOAD.A checks for the presence of virtualization, sandbox and analysis tool modules, it checks the name of the current user to see if it’s related to malware analysis, and scans running processes in search of applications such as Wireshark, Dumpcap, TCPView, and OllyDbg. If there is any indication that it’s being analyzed, the malware doesn’t execute its main routine.
If the presence of malware analysis tools is not detected, the Trojan checks the infected system to determine which of three payloads to drop.
In the first case, the threat checks the system’s URL cache for PoS-related URLs. In the second case, it uses the “net view” command to determine if the computers on the infected network have names like “POS,” “STORE,” “SHOP” or “SALE.” If none of these conditions are met, the malware drops its default payload.
Trend Micro has not been able to determine which payload is dropped in each of these cases because the command and control (C&C) servers used by the malware have been inaccessible.
Researchers only managed to obtain the payload for the scenario where the malware finds PoS-related URLs in the URL cache. In this case, the Trojan drops TROJ_RECOLOAD.B, a less stealthy version of the threat that injects itself into the explorer.exe process and checks for the presence of processes associated with Internet Explorer, Firefox and Chrome.
Experts believe the malware could be looking for the presence of web browsers because it’s targeting web-based terminals.
Trend Micro has noted that the malware is also downloaded if TROJ_RECOLOAD.A finds the string “Verifone” in a certain registry. Verifone is an electronic payment and PoS solutions provider.
“Using exploit kits can be seen as an ingenious way of distributing PoS malware. Like using a botnet, exploit kits widens the net cast by cybercriminals for potential victims. Of course, using a compromised site or malvertisements wouldn’t necessarily guarantee that a PoS system will be caught—which is where the filtering comes in,” Trend Micro threat response engineer Anthony Joe Melgarejo explained in a blog post.
Earlier this month, Trend Micro reported that cybercriminals had started using the Andromeda botnet to deliver a new PoS malware dubbed GamaPOS.