Security Experts:

New "LusyPOS" Malware Uses Tor For C&C Communications

A sample of a new piece of malware designed to target point-of-sale (PoS) systems was submitted to VirusTotal a few days ago, according to researchers who analyzed the malware. Named "LusyPOS" by the researchers, they determined that the threat leverages some techniques also seen in other PoS malware.

According to Nick Hoffman and Jeremy Humble, reverse engineers at IT solutions provider CBTS, LusyPOS uses the Tor anonymity network for command and control (C&C) communications, which makes it similar to ChewBacca, a piece of malware that was used earlier this year to steal personal and payment card data from several dozen retailers in the United States and elsewhere.

LusyPOS, which has been advertised on hacker forums since late November, also shares some characteristics with Dexter, a well-known piece of malware that has been used in numerous attacks against PoS systems over the past couple of years.

The malware uses a technique known as RAM scraping to collect credit and debit card information from infected systems. In order to validate the data, LusyPOS relies on an implementation of the Luhn algorithm. Researchers have pointed out that the same implementation can be found in other PoS malware, including Dexter, FrameworkPOS, and a threat recently discovered by Hoffman dubbed Getmypass.

Only 7 of the 54 antivirus engines on VirusTotal flagged the malware when it was discovered by Hoffman and Humble, some of them detecting it due to the Tor component.

SecurityWeek has found an ad for LusyPOS on a public hacker forum. The seller says he's also offering the malware on the anonymous black market bazaar Evolution.

The malware has been developed in the programming language C and it's designed to grab Track 1 and Track 2 data from infected machines. The administration panel, which is accessible only through Tor, can be used to manage stolen data, check statistics and send out commands, the seller said.

The developer says LusyPOS can be used both by beginners and professionals. The "Pro" package is currently being sold for $2,000 if the customer has his own hosting servers, or $2,200 if he want's to use the author's hosting services. The price includes unlimited support and rebuilds.

The price for the "Newbie" package depends on how much the customer already knows about using PoS malware and how much time the developers waste on teaching him the ropes. Beginners are provided with tutorials, tools and anything else they need to get started, the seller noted.

"The new POS malware variant named 'LusyPOS', like 'Chewbacca' before it, uses the Tor network for its command and control (C2) communication. When it comes to PCI compliance, this type of network communication should never be allowed. Organizations should be on the lookout for attempts to contact suspicious domain names with a .onion TLD and block them immediately," Jeremy Scott, Senior Research Analyst with Solutionary, told SecurityWeek.

Many malware developers appear to be focusing their efforts on PoS threats. Last week, researchers reported uncovering a piece of malware dubbed "d4re|dev1|" that has been used to target electronic kiosks. Experts have also spotted Poslogr, a PoS malware that's still under development.

A threat report for the third quarter of 2014 released by Trend Micro this week shows that the United States accounts for the largest number of PoS malware infections (30%).

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.