Security Experts:

New PoS Malware Delivered via Malicious Docs, Exploit Kit

A new point-of-sale (PoS) malware has been widely distributed by cybercriminals alongside ad fraud and information-stealing threats.

The malware, dubbed by Proofpoint “AbaddonPOS,” has been spotted on systems infected with the banking Trojan Vawtrak, also known as Neverquest and Snifula.

PoS malware can help cybercriminals earn a lot of money, but such threats are often used in more targeted attacks. However, researchers have spotted AbaddonPOS in campaigns that appear to be mainly aimed at consumers.

Anti-malware company Cyphort reported in early November that the website had been directing users to the Angler exploit kit. Angler had been set up to serve the ad fraud malware Bedep, the Vawtrak banking Trojan, and a new RAM scraping malware designed to scan running processes for payment card information.

Proofpoint observed the same PoS malware, namely AbaddonPOS, being distributed with the aid of weaponized Microsoft Word documents designed to download the information-stealing Trojan Pony (Fareit) and Vawtrak.

According to researchers, in both the exploit kit and weaponized document attacks, Vawtrak and Bedep download TinyLoader, a downloader designed to fetch executable payloads from a command and control (C&C) server using a custom protocol. In the attacks observed by Proofpoint, TinyLoader transfers a second downloader, TinyDownloader, in the form of a shellcode, which in turn downloads AbaddonPOS.

The threat is small in size (5Kb) and its core functionality is simple, but it includes some noteworthy features. Experts say AbaddonPOS relies on several basic anti-analysis and obfuscation techniques that make it more difficult to investigate via both manual and automated methods.

Once it infects a system, the malware reads the memory of all processes in search of track 1 and track 2 data associated with payment cards. After it finds the targeted financial information, AbaddonPOS sends it back to its C&C server using a custom binary protocol, unlike other PoS malware families that use HTTP for this task. C&C communications and credit card data exfiltration is handled by the shellcode downloaded by TinyLoader.

TinyLoader was first spotted in January 2015 and it underwent several modifications since, including the addition of anti-analysis and obfuscation/encoding features. Since the code used for anti-analysis and obfuscation is similar in AbaddonPOS and TinyLoader, Proofpoint believes the threats are connected and possibly even developed by the same authors.

“The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice,” Proofpoint researchers said. “While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cybercriminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.”

AbaddonPOS is not the only PoS malware analyzed recently by researchers. Trustwave has been monitoring a threat, dubbed “Cherry Picker,” that has managed to stay under the radar since 2011 thanks to its sophisticated functionality and the use of a cleaner that restores the system to a clean state after data is stolen. Unlike AbaddonPOS, Cherry Picker has only been used in highly targeted attacks.

Related Reading: Andromeda Botnet Used to Deliver New GamaPoS Malware

Related Reading: MalumPOS Malware Targets Oracle Micros PoS Systems

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.