Researchers at IntelCrawler have identified a new strain of point-of-sale (PoS) malware targeting e-kiosks and ticket vending machines.
The firm has dubbed the malware ‘d4re|dev1|’. The malware is hitting mass transit systems, and acts a backdoor that gives attackers remote administration capabilities. It also has RAM scrapping and keylogging features.
“For today, we have identified close to 80 compromised merchants in EU/US/AUS,” IntelCrawler CEO Andrew Komarov said in an email to SecurityWeek. “We see active growth of this malware, having pretty similar functions of famous RAM scrapping trojans, but with some advanced features…for password interception within the sessions of specific retail management systems.”
The malware has a “File Upload” option that can be used for updating the payload remotely, according to the firm.
“The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome,” IntelCrawler explained in a blog post. “Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 [command-and-control] servers.”
Ongoing investigations have revealed that some operators of point-of-sale terminals have used their terminal for gaming and other web surfing, such as email and visiting social networks. These cases have a common denominator of weak passwords and logins, many of which were found in large third-party breaches, according to the firm.
“Some recent POS investigations have revealed organized crime groups distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems,” according to the company. “One of the compromised devices was found in Sardinia in August 2014, giving the bad actors unauthorized access to it through VNC.”
Komarov said that the attackers are installing the malware using unsecure remote administration channels, including tools like TeamViewer and pcAnywhere. In some cases, the attackers are looking for specific retail management systems in order to compromise them using application vulnerabilities as well.
“We advise to secure [these] devices properly, and not to connect them to public static IPs or to organize insecure remote administration channel to them,” he said. “All the traffic should be [encapsulated] into VPN, as well as ACL list should be created to define trusted hosts for connections.”
Earlier this year, IntelCrawler discovered Nemanja, a botnet comprised of roughly 1,500 terminals and other systems, and POSCLOUD, which targets cloud-based PoS software used by many grocery stores, retailers, and other small businesses.