Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FastPOS Malware Adopts Modular Design

FastPOS, a piece of point-of-sale (PoS) malware that emerged in early summer, has recently received a series of updates designed to make it more efficient just in time for the holiday season.

FastPOS, a piece of point-of-sale (PoS) malware that emerged in early summer, has recently received a series of updates designed to make it more efficient just in time for the holiday season.

When first detailed in June, the malware stood out because of its ability to quickly exfiltrate all of the stolen credit card data. The threat was found to include a custom RAM scraping algorithm for data collection and a keylogger, to send data via HTTP GET requests, and to target only cards that could be used internationally and which don’t require a PIN.

New samples observed last month revealed that the malware has been used against small-medium businesses, only one month after the command and control (C&C) domain was registered. The malware now uses a modular design with separate components for 32-bit and 64-bit systems, which makes it more difficult to detect, Trend Micro researchers say.

The threat, however, continues to use previously observed format and keywords, ‘cdosys’ and ‘comdlg64,’ and HTTP GET and a simple HTTP User Agent string (Firefox) for data exfiltration. While the initial FastPOS variant had one file but spawned a different process for each functionality, the new version uses different components that are hidden within its resources.

These components include Serv32.exe (which creates and monitors a mailslot and sends its contents to the C&C server), Kl32.exe and Kl64.exe (the 32-bit and 64-bit keylogger components), and Proc32.exe and Proc64.exe (the 32-bit and 64-bit RAM scrapers). The malware would copy only the appropriate component, depending on the targeted system’s architecture, researchers say.

The FastPOS main file extracts all components and passes control to the main service, which creates and monitors a central communication medium and also sends all information to the C&C server. Both the keylogger components and the RAM scrapper modules send the gathered information to the main service.

The malware stores gathered information in mailslots, a mechanism that allows applications to store and retrieve messages. By using this method, FastPOS can evade malware detection, but it isn’t the first to employ the technique: LogPOS, which emerged last year, used it as well. Mailslots are memory-residing temporary files and attackers can save information about the system without leaving traces of a physical file.

Trend Micro researchers explain that the modular design could hinder detection because one component can be set to not work without another. In the case of FastPOS, however, components aren’t dependent on other components and can be self-executed, provided that the arguments for them are known. However, discovering one component doesn’t guarantee that others are also found, researchers say.

“For instance, FastPOS’s main service and RAM scraper can be seen running as a service, making them easier to remove. However, the keylogger component can be harder to notice as its code is injected into explorer.exe’s process memory,” Trend Micro explains.

The use of mailslots is yet another necessary improvement, because the malware can no longer simply keep the data logs in memory, because there isn’t a single process running. The newly adopted modular designed requires a central repository to store all logged data from each component and the use of mailslots allows the malware to do so while avoiding the use of a physical file.

“FastPOS’s update shows that its developer is active and isn’t shying away from trying new tactics—from switching memory to mailslots for data storage to using different versions of the same platform to create the malware. The deployment is also quite suspect, as the malware’s development cycle seems to keep pace with the retail sale season,” the Trend Micro researchers say.

Related: Card Data, Keystrokes Quickly Exfiltrated by FastPOS Malware

Related: PoS Trojan Bypasses Account Control Posing as Microsoft App

Related: “Multigrain” PoS Malware Exfiltrates Card Data Over DNS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack