Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New “LusyPOS” Malware Uses Tor For C&C Communications

A sample of a new piece of malware designed to target point-of-sale (PoS) systems was submitted to VirusTotal a few days ago, according to researchers who analyzed the malware. Named “LusyPOS” by the researchers, they determined that the threat leverages some techniques also seen in other PoS malware.

A sample of a new piece of malware designed to target point-of-sale (PoS) systems was submitted to VirusTotal a few days ago, according to researchers who analyzed the malware. Named “LusyPOS” by the researchers, they determined that the threat leverages some techniques also seen in other PoS malware.

According to Nick Hoffman and Jeremy Humble, reverse engineers at IT solutions provider CBTS, LusyPOS uses the Tor anonymity network for command and control (C&C) communications, which makes it similar to ChewBacca, a piece of malware that was used earlier this year to steal personal and payment card data from several dozen retailers in the United States and elsewhere.

LusyPOS, which has been advertised on hacker forums since late November, also shares some characteristics with Dexter, a well-known piece of malware that has been used in numerous attacks against PoS systems over the past couple of years.

The malware uses a technique known as RAM scraping to collect credit and debit card information from infected systems. In order to validate the data, LusyPOS relies on an implementation of the Luhn algorithm. Researchers have pointed out that the same implementation can be found in other PoS malware, including Dexter, FrameworkPOS, and a threat recently discovered by Hoffman dubbed Getmypass.

Only 7 of the 54 antivirus engines on VirusTotal flagged the malware when it was discovered by Hoffman and Humble, some of them detecting it due to the Tor component.

SecurityWeek has found an ad for LusyPOS on a public hacker forum. The seller says he’s also offering the malware on the anonymous black market bazaar Evolution.

The malware has been developed in the programming language C and it’s designed to grab Track 1 and Track 2 data from infected machines. The administration panel, which is accessible only through Tor, can be used to manage stolen data, check statistics and send out commands, the seller said.

The developer says LusyPOS can be used both by beginners and professionals. The “Pro” package is currently being sold for $2,000 if the customer has his own hosting servers, or $2,200 if he want’s to use the author’s hosting services. The price includes unlimited support and rebuilds.

Advertisement. Scroll to continue reading.

The price for the “Newbie” package depends on how much the customer already knows about using PoS malware and how much time the developers waste on teaching him the ropes. Beginners are provided with tutorials, tools and anything else they need to get started, the seller noted.

“The new POS malware variant named ‘LusyPOS’, like ‘Chewbacca’ before it, uses the Tor network for its command and control (C2) communication. When it comes to PCI compliance, this type of network communication should never be allowed. Organizations should be on the lookout for attempts to contact suspicious domain names with a .onion TLD and block them immediately,” Jeremy Scott, Senior Research Analyst with Solutionary, told SecurityWeek.

Many malware developers appear to be focusing their efforts on PoS threats. Last week, researchers reported uncovering a piece of malware dubbed “d4re|dev1|” that has been used to target electronic kiosks. Experts have also spotted Poslogr, a PoS malware that’s still under development.

A threat report for the third quarter of 2014 released by Trend Micro this week shows that the United States accounts for the largest number of PoS malware infections (30%).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.