Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New PoS Malware Delivered via Malicious Docs, Exploit Kit

A new point-of-sale (PoS) malware has been widely distributed by cybercriminals alongside ad fraud and information-stealing threats.

A new point-of-sale (PoS) malware has been widely distributed by cybercriminals alongside ad fraud and information-stealing threats.

The malware, dubbed by Proofpoint “AbaddonPOS,” has been spotted on systems infected with the banking Trojan Vawtrak, also known as Neverquest and Snifula.

PoS malware can help cybercriminals earn a lot of money, but such threats are often used in more targeted attacks. However, researchers have spotted AbaddonPOS in campaigns that appear to be mainly aimed at consumers.

Anti-malware company Cyphort reported in early November that the psychcentral.com website had been directing users to the Angler exploit kit. Angler had been set up to serve the ad fraud malware Bedep, the Vawtrak banking Trojan, and a new RAM scraping malware designed to scan running processes for payment card information.

Proofpoint observed the same PoS malware, namely AbaddonPOS, being distributed with the aid of weaponized Microsoft Word documents designed to download the information-stealing Trojan Pony (Fareit) and Vawtrak.

According to researchers, in both the exploit kit and weaponized document attacks, Vawtrak and Bedep download TinyLoader, a downloader designed to fetch executable payloads from a command and control (C&C) server using a custom protocol. In the attacks observed by Proofpoint, TinyLoader transfers a second downloader, TinyDownloader, in the form of a shellcode, which in turn downloads AbaddonPOS.

The threat is small in size (5Kb) and its core functionality is simple, but it includes some noteworthy features. Experts say AbaddonPOS relies on several basic anti-analysis and obfuscation techniques that make it more difficult to investigate via both manual and automated methods.

Once it infects a system, the malware reads the memory of all processes in search of track 1 and track 2 data associated with payment cards. After it finds the targeted financial information, AbaddonPOS sends it back to its C&C server using a custom binary protocol, unlike other PoS malware families that use HTTP for this task. C&C communications and credit card data exfiltration is handled by the shellcode downloaded by TinyLoader.

TinyLoader was first spotted in January 2015 and it underwent several modifications since, including the addition of anti-analysis and obfuscation/encoding features. Since the code used for anti-analysis and obfuscation is similar in AbaddonPOS and TinyLoader, Proofpoint believes the threats are connected and possibly even developed by the same authors.

“The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice,” Proofpoint researchers said. “While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cybercriminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.”

AbaddonPOS is not the only PoS malware analyzed recently by researchers. Trustwave has been monitoring a threat, dubbed “Cherry Picker,” that has managed to stay under the radar since 2011 thanks to its sophisticated functionality and the use of a cleaner that restores the system to a clean state after data is stolen. Unlike AbaddonPOS, Cherry Picker has only been used in highly targeted attacks.

Related Reading: Andromeda Botnet Used to Deliver New GamaPoS Malware

Related Reading: MalumPOS Malware Targets Oracle Micros PoS Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.