FastPOS, a piece of point-of-sale (PoS) malware that emerged in early summer, has recently received a series of updates designed to make it more efficient just in time for the holiday season.
When first detailed in June, the malware stood out because of its ability to quickly exfiltrate all of the stolen credit card data. The threat was found to include a custom RAM scraping algorithm for data collection and a keylogger, to send data via HTTP GET requests, and to target only cards that could be used internationally and which don’t require a PIN.
New samples observed last month revealed that the malware has been used against small-medium businesses, only one month after the command and control (C&C) domain was registered. The malware now uses a modular design with separate components for 32-bit and 64-bit systems, which makes it more difficult to detect, Trend Micro researchers say.
The threat, however, continues to use previously observed format and keywords, ‘cdosys’ and ‘comdlg64,’ and HTTP GET and a simple HTTP User Agent string (Firefox) for data exfiltration. While the initial FastPOS variant had one file but spawned a different process for each functionality, the new version uses different components that are hidden within its resources.
These components include Serv32.exe (which creates and monitors a mailslot and sends its contents to the C&C server), Kl32.exe and Kl64.exe (the 32-bit and 64-bit keylogger components), and Proc32.exe and Proc64.exe (the 32-bit and 64-bit RAM scrapers). The malware would copy only the appropriate component, depending on the targeted system’s architecture, researchers say.
The FastPOS main file extracts all components and passes control to the main service, which creates and monitors a central communication medium and also sends all information to the C&C server. Both the keylogger components and the RAM scrapper modules send the gathered information to the main service.
The malware stores gathered information in mailslots, a mechanism that allows applications to store and retrieve messages. By using this method, FastPOS can evade malware detection, but it isn’t the first to employ the technique: LogPOS, which emerged last year, used it as well. Mailslots are memory-residing temporary files and attackers can save information about the system without leaving traces of a physical file.
Trend Micro researchers explain that the modular design could hinder detection because one component can be set to not work without another. In the case of FastPOS, however, components aren’t dependent on other components and can be self-executed, provided that the arguments for them are known. However, discovering one component doesn’t guarantee that others are also found, researchers say.
“For instance, FastPOS’s main service and RAM scraper can be seen running as a service, making them easier to remove. However, the keylogger component can be harder to notice as its code is injected into explorer.exe’s process memory,” Trend Micro explains.
The use of mailslots is yet another necessary improvement, because the malware can no longer simply keep the data logs in memory, because there isn’t a single process running. The newly adopted modular designed requires a central repository to store all logged data from each component and the use of mailslots allows the malware to do so while avoiding the use of a physical file.
“FastPOS’s update shows that its developer is active and isn’t shying away from trying new tactics—from switching memory to mailslots for data storage to using different versions of the same platform to create the malware. The deployment is also quite suspect, as the malware’s development cycle seems to keep pace with the retail sale season,” the Trend Micro researchers say.